QEMU is a FAST! processor emulator
CentOS Sources
2018-01-04 1b1826810bcaa8b7cff0b09a6cc1d8b1503426c9
import qemu-kvm-1.5.3-141.el7_4.6
4 files added
1 files modified
725 ■■■■■ changed files
SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch 152 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch 411 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch 79 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch 61 ●●●●● patch | view | raw | blame | history
SPECS/qemu-kvm.spec 22 ●●●●● patch | view | raw | blame | history
SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
New file
@@ -0,0 +1,152 @@
From 6d0877d3a5dff82b854a7eee38ef7558dfa1d4ef Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Wed, 13 Dec 2017 15:42:56 -0200
Subject: [PATCH 2/3] target-i386: add support for SPEC_CTRL MSR
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
Message-id: <20171213174257.20475-3-ehabkost@redhat.com>
Patchwork-id: n/a
O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 2/3] target-i386: add
 support for SPEC_CTRL MSR
Bugzilla: CVE-2017-5715
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
---
 target-i386/cpu.h     |  4 ++++
 target-i386/kvm.c     | 15 +++++++++++++++
 target-i386/machine.c | 21 +++++++++++++++++++++
 3 files changed, 40 insertions(+)
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index 5697dc6..b23242d 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -304,6 +304,7 @@
 #define MSR_IA32_APICBASE_ENABLE        (1<<11)
 #define MSR_IA32_APICBASE_BASE          (0xfffff<<12)
 #define MSR_TSC_ADJUST                  0x0000003b
+#define MSR_IA32_SPEC_CTRL              0x48
 #define MSR_IA32_TSCDEADLINE            0x6e0
 #define MSR_P6_PERFCTR0                 0xc1
@@ -958,6 +959,7 @@ typedef struct CPUX86State {
     uint64_t msr_fixed_counters[MAX_FIXED_COUNTERS];
     uint64_t msr_gp_counters[MAX_GP_COUNTERS];
     uint64_t msr_gp_evtsel[MAX_GP_COUNTERS];
+
     uint64_t msr_hv_hypercall;
     uint64_t msr_hv_guest_os_id;
     uint64_t msr_hv_vapic;
@@ -1030,6 +1032,8 @@ typedef struct CPUX86State {
     uint64_t xcr0;
     uint64_t xss;
+    uint64_t spec_ctrl;
+
     TPRAccess tpr_access_type;
 } CPUX86State;
diff --git a/target-i386/kvm.c b/target-i386/kvm.c
index 6a479f4..ff58314 100644
--- a/target-i386/kvm.c
+++ b/target-i386/kvm.c
@@ -77,6 +77,7 @@ static bool has_msr_hv_vapic;
 static bool has_msr_hv_tsc;
 static bool has_msr_mtrr;
 static bool has_msr_xss;
+static bool has_msr_spec_ctrl;
 static bool has_msr_architectural_pmu;
 static uint32_t num_architectural_pmu_counters;
@@ -800,6 +801,10 @@ static int kvm_get_supported_msrs(KVMState *s)
                     has_msr_xss = true;
                     continue;
                 }
+                if (kvm_msr_list->indices[i] == MSR_IA32_SPEC_CTRL) {
+                    has_msr_spec_ctrl = true;
+                    continue;
+                }
             }
         }
@@ -1185,6 +1190,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
     if (has_msr_xss) {
         kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss);
     }
+    if (has_msr_spec_ctrl) {
+        kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl);
+    }
 #ifdef TARGET_X86_64
     if (lm_capable_kernel) {
         kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
@@ -1193,6 +1201,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
         kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar);
     }
 #endif
+
     if (level == KVM_PUT_FULL_STATE) {
         /*
          * KVM is yet unable to synchronize TSC values of multiple VCPUs on
@@ -1541,6 +1550,9 @@ static int kvm_get_msrs(X86CPU *cpu)
     if (has_msr_xss) {
         msrs[n++].index = MSR_IA32_XSS;
     }
+    if (has_msr_spec_ctrl) {
+        msrs[n++].index = MSR_IA32_SPEC_CTRL;
+    }
     if (!env->tsc_valid) {
@@ -1783,6 +1795,9 @@ static int kvm_get_msrs(X86CPU *cpu)
                 env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data;
             }
             break;
+        case MSR_IA32_SPEC_CTRL:
+            env->spec_ctrl = msrs[i].data;
+            break;
         }
     }
diff --git a/target-i386/machine.c b/target-i386/machine.c
index ce7fcd3..4092cae 100644
--- a/target-i386/machine.c
+++ b/target-i386/machine.c
@@ -722,6 +722,24 @@ static const VMStateDescription vmstate_xss = {
     }
 };
+static bool spec_ctrl_needed(void *opaque)
+{
+    X86CPU *cpu = opaque;
+    CPUX86State *env = &cpu->env;
+
+    return env->spec_ctrl != 0;
+}
+
+static const VMStateDescription vmstate_spec_ctrl = {
+    .name = "cpu/spec_ctrl",
+    .version_id = 1,
+    .minimum_version_id = 1,
+    .fields = (VMStateField[]){
+        VMSTATE_UINT64(env.spec_ctrl, X86CPU),
+        VMSTATE_END_OF_LIST()
+    }
+};
+
 const VMStateDescription vmstate_x86_cpu = {
     .name = "cpu",
     .version_id = 12,
@@ -871,6 +889,9 @@ const VMStateDescription vmstate_x86_cpu = {
          }, {
             .vmsd = &vmstate_xss,
             .needed = xss_needed,
+        }, {
+            .vmsd = &vmstate_spec_ctrl,
+            .needed = spec_ctrl_needed,
         } , {
             /* empty */
         }
--
1.8.3.1
SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch
New file
@@ -0,0 +1,411 @@
From d4caecffd38c2a9c16ea717e9c863d3214093b32 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Wed, 13 Dec 2017 15:42:57 -0200
Subject: [PATCH 3/3] target-i386: cpu: add new CPU models for indirect branch
 predictor restrictions
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
Message-id: <20171213174257.20475-4-ehabkost@redhat.com>
Patchwork-id: n/a
O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 3/3] target-i386: cpu: add
 new CPU models for indirect branch predictor restrictions
Bugzilla: CVE-2017-5715
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
To ensure the New CPU models won't introduce any unexpected
changes except for the spec-ctrl feature (even if people are
running older machine-types), copy all compat_props entries for
existing CPU models to their *-IBRS versions.
The only entries that are not being copied are the ones touching
"(min-)level" and "(min-)xlevel" because it's an expected result
of the CPU model change (otherwise the spec-ctrl feature would
remain unavailable to the guest).
The entries that had to be copied can be found using:
  $ git grep -E 'Nehalem|Westmere|SandyBridge|IvyBridge|Haswell-noTSX|Haswell|Broadwell-noTSX|Broadwell|Skylake-Client|Skylake-Server|EPYC'
Note that the upstream-only PC_COMPAT_* macros are not being
touched as they are not used by the RHEL machine-types.
---
 hw/i386/pc_piix.c |  17 ++++
 hw/i386/pc_q35.c  |   1 +
 target-i386/cpu.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 target-i386/cpu.h |   3 +
 4 files changed, 257 insertions(+)
diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
index b043124..c53a6d4 100644
--- a/hw/i386/pc_piix.c
+++ b/hw/i386/pc_piix.c
@@ -753,7 +753,9 @@ static void pc_compat_rhel700(QEMUMachineInitArgs *args)
     x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+    x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+    x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     /* SandyBridge and Haswell already have x2apic enabled */
     x86_cpu_compat_set_features("Opteron_G1", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Opteron_G2", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
@@ -928,18 +930,31 @@ static void pc_compat_rhel660(QEMUMachineInitArgs *args)
     x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+    x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+    x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
     x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
+    x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
     x86_cpu_compat_set_features("Westmere", FEAT_8000_0001_EDX,
              CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT |
              CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC |
              CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR |
              CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU,
              0);
+    x86_cpu_compat_set_features("Westmere-IBRS", FEAT_8000_0001_EDX,
+             CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT |
+             CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC |
+             CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR |
+             CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU,
+             0);
     x86_cpu_compat_set_features("Broadwell", FEAT_8000_0001_EDX,
                                 0, CPUID_EXT2_RDTSCP);
+    x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_8000_0001_EDX,
+                                0, CPUID_EXT2_RDTSCP);
     x86_cpu_compat_set_features("Broadwell", FEAT_7_0_EBX,
                                 0, CPUID_7_0_EBX_SMAP);
+    x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_7_0_EBX,
+                                0, CPUID_7_0_EBX_SMAP);
     /* RHEL-6 kernel never supported exposing RDTSCP */
     x86_cpu_compat_set_features(NULL, FEAT_8000_0001_EDX, 0, CPUID_EXT2_RDTSCP);
@@ -1122,6 +1137,8 @@ static void pc_compat_rhel630(QEMUMachineInitArgs *args)
     enable_compat_apic_id_mode();
     x86_cpu_compat_set_features("SandyBridge", FEAT_1_ECX,
                                 0, CPUID_EXT_TSC_DEADLINE_TIMER);
+    x86_cpu_compat_set_features("SandyBridge-IBRS", FEAT_1_ECX,
+                                0, CPUID_EXT_TSC_DEADLINE_TIMER);
 }
 static void pc_init_rhel630(QEMUMachineInitArgs *args)
diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
index 850a25a..e6043df 100644
--- a/hw/i386/pc_q35.c
+++ b/hw/i386/pc_q35.c
@@ -228,6 +228,7 @@ static void pc_q35_init_1_4(QEMUMachineInitArgs *args)
 {
     x86_cpu_compat_set_features("n270", FEAT_1_ECX, 0, CPUID_EXT_MOVBE);
     x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
+    x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
     pc_q35_init_1_5(args);
 }
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index 400a7ab..9e238ba 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -882,6 +882,31 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)",
     },
     {
+        .name = "Nehalem-IBRS",
+        .level = 11,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 26,
+        .stepping = 3,
+        .features[FEAT_1_EDX] =
+            CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+             CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+             CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+             CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+             CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
+             CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3,
+        .features[FEAT_7_0_EDX] =
+            CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)",
+    },
+    {
         .name = "Westmere",
         .level = 11,
         .vendor = CPUID_VENDOR_INTEL,
@@ -906,6 +931,32 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)",
     },
     {
+        .name = "Westmere-IBRS",
+        .level = 11,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 44,
+        .stepping = 1,
+        .features[FEAT_1_EDX] =
+            CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+             CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+             CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+             CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+             CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 |
+             CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
+             CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .xlevel = 0x80000008,
+        .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)",
+    },
+    {
         .name = "SandyBridge",
         .level = 0xd,
         .vendor = CPUID_VENDOR_INTEL,
@@ -935,6 +986,37 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Xeon E312xx (Sandy Bridge)",
     },
     {
+        .name = "SandyBridge-IBRS",
+        .level = 0xd,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 42,
+        .stepping = 1,
+        .features[FEAT_1_EDX] =
+            CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+             CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+             CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+             CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+             CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
+             CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
+             CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
+             CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
+             CPUID_EXT_SSE3,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
+             CPUID_EXT2_SYSCALL,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_XSAVE] =
+            CPUID_XSAVE_XSAVEOPT,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Xeon E312xx (Sandy Bridge, IBRS update)",
+    },
+    {
         .name = "IvyBridge",
         .level = 0xd,
         .vendor = CPUID_VENDOR_INTEL,
@@ -967,6 +1049,40 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
     },
     {
+        .name = "IvyBridge-IBRS",
+        .level = 0xd,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 58,
+        .stepping = 9,
+        .features[FEAT_1_EDX] =
+            CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+            CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+            CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+            CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+            CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
+            CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
+            CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
+            CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
+            CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
+        .features[FEAT_7_0_EBX] =
+            CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP |
+            CPUID_7_0_EBX_ERMS,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
+            CPUID_EXT2_SYSCALL,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_XSAVE] =
+            CPUID_XSAVE_XSAVEOPT,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)",
+    },
+    {
         .name = "Haswell",
         .level = 0xd,
         .vendor = CPUID_VENDOR_INTEL,
@@ -1002,6 +1118,43 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Core Processor (Haswell)",
     },
     {
+        .name = "Haswell-IBRS",
+        .level = 0xd,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 60,
+        .stepping = 4,
+        .features[FEAT_1_EDX] =
+            CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+             CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+             CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+             CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+             CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
+             CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
+             CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
+             CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
+             CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
+             CPUID_EXT_PCID,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
+             CPUID_EXT2_SYSCALL,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_7_0_EBX] =
+            CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
+            CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
+            CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
+            CPUID_7_0_EBX_RTM,
+        .features[FEAT_XSAVE] =
+            CPUID_XSAVE_XSAVEOPT,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Core Processor (Haswell, IBRS)",
+    },
+    {
         .name = "Broadwell",
         .level = 0xd,
         .vendor = CPUID_VENDOR_INTEL,
@@ -1038,6 +1191,44 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Core Processor (Broadwell)",
     },
     {
+        .name = "Broadwell-IBRS",
+        .level = 0xd,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 61,
+        .stepping = 2,
+        .features[FEAT_1_EDX] =
+            CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+            CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+            CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+            CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+            CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
+            CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
+            CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
+            CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
+            CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
+            CPUID_EXT_PCID,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
+            CPUID_EXT2_SYSCALL,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_7_0_EBX] =
+            CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
+            CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
+            CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
+            CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
+            CPUID_7_0_EBX_SMAP,
+        .features[FEAT_XSAVE] =
+            CPUID_XSAVE_XSAVEOPT,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Core Processor (Broadwell, IBRS)",
+    },
+    {
         .name = "Skylake-Client",
         .level = 0xd,
         .vendor = CPUID_VENDOR_INTEL,
@@ -1081,6 +1272,51 @@ static x86_def_t builtin_x86_defs[] = {
         .model_id = "Intel Core Processor (Skylake)",
     },
     {
+        .name = "Skylake-Client-IBRS",
+        .level = 0xd,
+        .vendor = CPUID_VENDOR_INTEL,
+        .family = 6,
+        .model = 94,
+        .stepping = 3,
+        .features[FEAT_1_EDX] =
+            CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
+            CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
+            CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
+            CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
+            CPUID_DE | CPUID_FP87,
+        .features[FEAT_1_ECX] =
+            CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
+            CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
+            CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
+            CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
+            CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
+            CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
+        .features[FEAT_8000_0001_EDX] =
+            CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
+            CPUID_EXT2_SYSCALL,
+        .features[FEAT_8000_0001_ECX] =
+            CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
+    .features[FEAT_7_0_EDX] =
+        CPUID_7_0_EDX_SPEC_CTRL,
+        .features[FEAT_7_0_EBX] =
+            CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
+            CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
+            CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
+            CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
+            CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX,
+        /* Missing: XSAVES (not supported by some Linux versions,
+         * including v4.1 to v4.12).
+         * KVM doesn't yet expose any XSAVES state save component,
+         * and the only one defined in Skylake (processor tracing)
+         * probably will block migration anyway.
+         */
+        .features[FEAT_XSAVE] =
+            CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC |
+            CPUID_XSAVE_XGETBV1,
+        .xlevel = 0x80000008,
+        .model_id = "Intel Core Processor (Skylake, IBRS)",
+    },
+    {
         .name = "Opteron_G1",
         .level = 5,
         .vendor = CPUID_VENDOR_AMD,
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index b23242d..9353b48 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -587,6 +587,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
 #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
 #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
+#define CPUID_7_0_EDX_SPEC_CTRL     (1U << 26) /* Indirect Branch - Restrict Speculation */
+
+#define CPUID_8000_0008_EBX_IBPB    (1U << 12) /* Indirect Branch Prediction Barrier */
 #define CPUID_XSAVE_XSAVEOPT   (1U << 0)
 #define CPUID_XSAVE_XSAVEC     (1U << 1)
--
1.8.3.1
SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch
New file
@@ -0,0 +1,79 @@
From 0e04ead1cdde827f1c0a20f8b83c76386dbf33e2 Mon Sep 17 00:00:00 2001
From: Eduardo Habkost <ehabkost@redhat.com>
Date: Wed, 13 Dec 2017 15:42:55 -0200
Subject: [PATCH 1/3] target-i386: cpu: add new CPUID bits for indirect branch
 predictor restrictions
RH-Author: Eduardo Habkost <ehabkost@redhat.com>
Message-id: <20171213174257.20475-2-ehabkost@redhat.com>
Patchwork-id: n/a
O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 1/3] target-i386: cpu:
 add new CPUID bits for indirect branch predictor restrictions
Bugzilla: CVE-2017-5715
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
---
 target-i386/cpu.c | 19 ++++++++++++++++++-
 target-i386/cpu.h |  1 +
 2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/target-i386/cpu.c b/target-i386/cpu.c
index ae56995..400a7ab 100644
--- a/target-i386/cpu.c
+++ b/target-i386/cpu.c
@@ -172,6 +172,17 @@ static const char *cpuid_7_0_edx_feature_name[] = {
     NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL,
+    NULL, NULL, "spec-ctrl", "stibp",
+    NULL, "arch-facilities", NULL, NULL,
+};
+
+static const char *cpuid_80000008_ebx_feature_name[] = {
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    "ibpb", NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
+    NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL,
     NULL, NULL, NULL, NULL,
 };
@@ -314,6 +325,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
         .cpuid_reg = R_EDX,
         .tcg_features = TCG_7_0_EDX_FEATURES,
     },
+    [FEAT_8000_0008_EBX] = {
+        .feat_names = cpuid_80000008_ebx_feature_name,
+        .cpuid_eax = 0x80000008,
+        .cpuid_needs_ecx = false, .cpuid_ecx = 0,
+        .cpuid_reg = R_EBX,
+    },
     [FEAT_XSAVE] = {
         .feat_names = cpuid_xsave_feature_name,
         .cpuid_eax = 0xd,
@@ -2371,7 +2388,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
                 *eax = 0x00000020; /* 32 bits physical */
             }
         }
-        *ebx = 0;
+        *ebx = env->features[FEAT_8000_0008_EBX];
         *ecx = 0;
         *edx = 0;
         if (cs->nr_cores * cs->nr_threads > 1) {
diff --git a/target-i386/cpu.h b/target-i386/cpu.h
index ac60309..5697dc6 100644
--- a/target-i386/cpu.h
+++ b/target-i386/cpu.h
@@ -405,6 +405,7 @@ typedef enum FeatureWord {
     FEAT_7_0_EDX,       /* CPUID[EAX=7,ECX=0].EDX */
     FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */
     FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */
+    FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */
     FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */
     FEAT_KVM,           /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */
     FEAT_SVM,           /* CPUID[8000_000A].EDX */
--
1.8.3.1
SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch
New file
@@ -0,0 +1,61 @@
From daa0c48addc50413b79612d9e7251a9cbf35af48 Mon Sep 17 00:00:00 2001
From: Alex Williamson <alex.williamson@redhat.com>
Date: Mon, 20 Nov 2017 16:21:44 +0100
Subject: [PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions
RH-Author: Alex Williamson <alex.williamson@redhat.com>
Message-id: <20171120162044.30263.60064.stgit@gimli.home>
Patchwork-id: 77755
O-Subject: [RHEL-7.4.z qemu-kvm PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions
Bugzilla: 1515110
RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
RH-Acked-by: Thomas Huth <thuth@redhat.com>
RH-Acked-by: Auger Eric <eric.auger@redhat.com>
Upstream Status: RHEL-only (very small subset of db0da029a185)
Tested: Teradici USB assignment
Upstream kernel commit 05f0c03fbac1 ('vfio-pci: Allow to mmap sub-page
MMIO BARs if the mmio page is exclusive') [RHEL-7.4 390f15a45024] allows
vfio-pci to expose the VFIO_REGION_INFO_FLAG_MMAP flag, indicating the
region can be mmap'd, for sub-page PCI BARs iff the BAR is page aligned
and the remainder of the page can be reserved to ensure that it's not
used for other purposes.  Unfortunately QEMU versions prior to v2.6.0
blindly accept the MMAP flag with no special handling of these sub-page
mmaps.  This went unnoticed upstream, but was inadvertently fixed by
commit db0da029a185 ('vfio: Generalize region support') which ensures
that the region size is a multiple of page size.  This returns us to
the previous behavior where sub-page regions are not mmap'd, even though
the kernel now allows it.  This QEMU commit has since been picked up in
qemu-kvm with the backport of the above as a33e922436f7.  qemu-kvm-rhev
has had this support since RHEL-7.3.  Furthermore, upstream commit
95251725e335 ('vfio: Add support for mmapping sub-page MMIO BARs')
allows QEMU to fully make use of these sub-page mmaps.  qemu-kvm-rhev
acquired this capability in the RHEL-7.4 rebase.
Here we extract only the portion of db0da029a185 which excludes sub-page
regions from being mmap'd.
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
---
 hw/misc/vfio.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
index 4fdc09a..adfefec 100644
--- a/hw/misc/vfio.c
+++ b/hw/misc/vfio.c
@@ -2576,7 +2576,8 @@ static int vfio_mmap_bar(VFIOBAR *bar, MemoryRegion *mem, MemoryRegion *submem,
 {
     int ret = 0;
-    if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP) {
+    if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP &&
+        !(size & ~TARGET_PAGE_MASK)) {
         int prot = 0;
         if (bar->flags & VFIO_REGION_INFO_FLAG_READ) {
--
1.8.3.1
SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
Release: 141%{?dist}.4
Release: 141%{?dist}.6
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -3624,6 +3624,14 @@
Patch1784: kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.patch
# For bz#1501120 - CVE-2017-14167 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.4.z]
Patch1785: kvm-multiboot-validate-multiboot-header-address-values.patch
# For bz#1515110 - Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z]
Patch1786: kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch
# For CVE-2017-5715
Patch1787: kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch
# For CVE-2017-5715
Patch1788: kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
# For CVE-2017-5715
Patch1789: kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch
BuildRequires: zlib-devel
@@ -5587,6 +5595,10 @@
%patch1783 -p1
%patch1784 -p1
%patch1785 -p1
%patch1786 -p1
%patch1787 -p1
%patch1788 -p1
%patch1789 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6032,6 +6044,14 @@
%{_mandir}/man8/qemu-nbd.8*
%changelog
* Thu Dec 14 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.6
- Fix CVE-2017-5715
* Wed Nov 29 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.5
- kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch [bz#1515110]
- Resolves: bz#1515110
  (Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z])
* Fri Nov 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.4
- kvm-multiboot-validate-multiboot-header-address-values.patch [bz#1501120]
- Resolves: bz#1501120