Subject: x86/amd: Mitigate AMD-SN-7052
From: Andrew Cooper andrew.cooper3@citrix.com Tue Nov 4 18:08:07 2025 +0000
Date: Wed May 6 15:31:11 2026 +0100:
Git: 3ed365e3f9ee281a8b34d65b6f5a4bf04bc871e4

This is XSA-490 / CVE-2025-54518.

Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
(cherry picked from commit 8070bdfa7220e772fae248abd3cbf5e87fc0fefb)

diff --git a/xen/arch/x86/cpu/amd.c b/xen/arch/x86/cpu/amd.c
index 43883e04db..3914032269 100644
--- a/xen/arch/x86/cpu/amd.c
+++ b/xen/arch/x86/cpu/amd.c
@@ -1050,11 +1050,25 @@ static void amd_check_bp_cfg(void)
 {
 	uint64_t val, new = 0;
 
-	/*
-	 * AMD Erratum #1485.  Set bit 5, as instructed.
-	 */
-	if (!cpu_has_hypervisor && boot_cpu_data.x86 == 0x19 && is_zen4_uarch())
-		new |= (1 << 5);
+	if (!cpu_has_hypervisor) {
+		/*
+		 * AMD Erratum #1485.  If SMT is enabled and STIBP disabled,
+		 * the CPU may fetch incorrect instruction bytes.
+		 *
+		 * Set bit 5, as instructed.
+		 */
+		if (boot_cpu_data.x86 == 0x19 && is_zen4_uarch())
+			new |= (1 << 5);
+
+		/*
+		 * AMD SB-7052.  CPU OP Cache corruption, causing instructions
+		 * to be executed at a higher privilege.
+		 *
+		 * Set bit 33, as instructed.
+		 */
+		if (boot_cpu_data.x86 == 0x17 && is_zen2_uarch())
+			new |= (1UL << 33);
+	}
 
 	/*
 	 * On hardware supporting SRSO_MSR_FIX, activate BP_SPEC_REDUCE by