From 75366366da0d918039e5e89a275d674a41ff94af Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Jan 25 2018 09:30:28 +0000 Subject: import qemu-kvm-1.5.3-141.el7_4.5 --- diff --git a/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch b/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch deleted file mode 100644 index b8df930..0000000 --- a/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 6d0877d3a5dff82b854a7eee38ef7558dfa1d4ef Mon Sep 17 00:00:00 2001 -From: Eduardo Habkost -Date: Wed, 13 Dec 2017 15:42:56 -0200 -Subject: [PATCH 2/3] target-i386: add support for SPEC_CTRL MSR - -RH-Author: Eduardo Habkost -Message-id: <20171213174257.20475-3-ehabkost@redhat.com> -Patchwork-id: n/a -O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 2/3] target-i386: add - support for SPEC_CTRL MSR -Bugzilla: CVE-2017-5715 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Miroslav Rezanina -RH-Acked-by: Wainer dos Santos Moschetta ---- - target-i386/cpu.h | 4 ++++ - target-i386/kvm.c | 15 +++++++++++++++ - target-i386/machine.c | 21 +++++++++++++++++++++ - 3 files changed, 40 insertions(+) - -diff --git a/target-i386/cpu.h b/target-i386/cpu.h -index 5697dc6..b23242d 100644 ---- a/target-i386/cpu.h -+++ b/target-i386/cpu.h -@@ -304,6 +304,7 @@ - #define MSR_IA32_APICBASE_ENABLE (1<<11) - #define MSR_IA32_APICBASE_BASE (0xfffff<<12) - #define MSR_TSC_ADJUST 0x0000003b -+#define MSR_IA32_SPEC_CTRL 0x48 - #define MSR_IA32_TSCDEADLINE 0x6e0 - - #define MSR_P6_PERFCTR0 0xc1 -@@ -958,6 +959,7 @@ typedef struct CPUX86State { - uint64_t msr_fixed_counters[MAX_FIXED_COUNTERS]; - uint64_t msr_gp_counters[MAX_GP_COUNTERS]; - uint64_t msr_gp_evtsel[MAX_GP_COUNTERS]; -+ - uint64_t msr_hv_hypercall; - uint64_t msr_hv_guest_os_id; - uint64_t msr_hv_vapic; -@@ -1030,6 +1032,8 @@ typedef struct CPUX86State { - uint64_t xcr0; - uint64_t xss; - -+ uint64_t spec_ctrl; -+ - TPRAccess tpr_access_type; - } CPUX86State; - -diff --git a/target-i386/kvm.c b/target-i386/kvm.c -index 6a479f4..ff58314 100644 ---- a/target-i386/kvm.c -+++ b/target-i386/kvm.c -@@ -77,6 +77,7 @@ static bool has_msr_hv_vapic; - static bool has_msr_hv_tsc; - static bool has_msr_mtrr; - static bool has_msr_xss; -+static bool has_msr_spec_ctrl; - - static bool has_msr_architectural_pmu; - static uint32_t num_architectural_pmu_counters; -@@ -800,6 +801,10 @@ static int kvm_get_supported_msrs(KVMState *s) - has_msr_xss = true; - continue; - } -+ if (kvm_msr_list->indices[i] == MSR_IA32_SPEC_CTRL) { -+ has_msr_spec_ctrl = true; -+ continue; -+ } - } - } - -@@ -1185,6 +1190,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) - if (has_msr_xss) { - kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss); - } -+ if (has_msr_spec_ctrl) { -+ kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl); -+ } - #ifdef TARGET_X86_64 - if (lm_capable_kernel) { - kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar); -@@ -1193,6 +1201,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level) - kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar); - } - #endif -+ - if (level == KVM_PUT_FULL_STATE) { - /* - * KVM is yet unable to synchronize TSC values of multiple VCPUs on -@@ -1541,6 +1550,9 @@ static int kvm_get_msrs(X86CPU *cpu) - if (has_msr_xss) { - msrs[n++].index = MSR_IA32_XSS; - } -+ if (has_msr_spec_ctrl) { -+ msrs[n++].index = MSR_IA32_SPEC_CTRL; -+ } - - - if (!env->tsc_valid) { -@@ -1783,6 +1795,9 @@ static int kvm_get_msrs(X86CPU *cpu) - env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data; - } - break; -+ case MSR_IA32_SPEC_CTRL: -+ env->spec_ctrl = msrs[i].data; -+ break; - } - } - -diff --git a/target-i386/machine.c b/target-i386/machine.c -index ce7fcd3..4092cae 100644 ---- a/target-i386/machine.c -+++ b/target-i386/machine.c -@@ -722,6 +722,24 @@ static const VMStateDescription vmstate_xss = { - } - }; - -+static bool spec_ctrl_needed(void *opaque) -+{ -+ X86CPU *cpu = opaque; -+ CPUX86State *env = &cpu->env; -+ -+ return env->spec_ctrl != 0; -+} -+ -+static const VMStateDescription vmstate_spec_ctrl = { -+ .name = "cpu/spec_ctrl", -+ .version_id = 1, -+ .minimum_version_id = 1, -+ .fields = (VMStateField[]){ -+ VMSTATE_UINT64(env.spec_ctrl, X86CPU), -+ VMSTATE_END_OF_LIST() -+ } -+}; -+ - const VMStateDescription vmstate_x86_cpu = { - .name = "cpu", - .version_id = 12, -@@ -871,6 +889,9 @@ const VMStateDescription vmstate_x86_cpu = { - }, { - .vmsd = &vmstate_xss, - .needed = xss_needed, -+ }, { -+ .vmsd = &vmstate_spec_ctrl, -+ .needed = spec_ctrl_needed, - } , { - /* empty */ - } --- -1.8.3.1 - diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch deleted file mode 100644 index 5ce64cc..0000000 --- a/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch +++ /dev/null @@ -1,411 +0,0 @@ -From d4caecffd38c2a9c16ea717e9c863d3214093b32 Mon Sep 17 00:00:00 2001 -From: Eduardo Habkost -Date: Wed, 13 Dec 2017 15:42:57 -0200 -Subject: [PATCH 3/3] target-i386: cpu: add new CPU models for indirect branch - predictor restrictions - -RH-Author: Eduardo Habkost -Message-id: <20171213174257.20475-4-ehabkost@redhat.com> -Patchwork-id: n/a -O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 3/3] target-i386: cpu: add - new CPU models for indirect branch predictor restrictions -Bugzilla: CVE-2017-5715 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Miroslav Rezanina -RH-Acked-by: Wainer dos Santos Moschetta - -To ensure the New CPU models won't introduce any unexpected -changes except for the spec-ctrl feature (even if people are -running older machine-types), copy all compat_props entries for -existing CPU models to their *-IBRS versions. - -The only entries that are not being copied are the ones touching -"(min-)level" and "(min-)xlevel" because it's an expected result -of the CPU model change (otherwise the spec-ctrl feature would -remain unavailable to the guest). - -The entries that had to be copied can be found using: - $ git grep -E 'Nehalem|Westmere|SandyBridge|IvyBridge|Haswell-noTSX|Haswell|Broadwell-noTSX|Broadwell|Skylake-Client|Skylake-Server|EPYC' - -Note that the upstream-only PC_COMPAT_* macros are not being -touched as they are not used by the RHEL machine-types. ---- - hw/i386/pc_piix.c | 17 ++++ - hw/i386/pc_q35.c | 1 + - target-i386/cpu.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - target-i386/cpu.h | 3 + - 4 files changed, 257 insertions(+) - -diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c -index b043124..c53a6d4 100644 ---- a/hw/i386/pc_piix.c -+++ b/hw/i386/pc_piix.c -@@ -753,7 +753,9 @@ static void pc_compat_rhel700(QEMUMachineInitArgs *args) - x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); -+ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); -+ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - /* SandyBridge and Haswell already have x2apic enabled */ - x86_cpu_compat_set_features("Opteron_G1", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Opteron_G2", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); -@@ -928,18 +930,31 @@ static void pc_compat_rhel660(QEMUMachineInitArgs *args) - x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); -+ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); -+ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); - x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); -+ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); - x86_cpu_compat_set_features("Westmere", FEAT_8000_0001_EDX, - CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT | - CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC | - CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR | - CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU, - 0); -+ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_8000_0001_EDX, -+ CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT | -+ CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC | -+ CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR | -+ CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU, -+ 0); - x86_cpu_compat_set_features("Broadwell", FEAT_8000_0001_EDX, - 0, CPUID_EXT2_RDTSCP); -+ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_8000_0001_EDX, -+ 0, CPUID_EXT2_RDTSCP); - x86_cpu_compat_set_features("Broadwell", FEAT_7_0_EBX, - 0, CPUID_7_0_EBX_SMAP); -+ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_7_0_EBX, -+ 0, CPUID_7_0_EBX_SMAP); - - /* RHEL-6 kernel never supported exposing RDTSCP */ - x86_cpu_compat_set_features(NULL, FEAT_8000_0001_EDX, 0, CPUID_EXT2_RDTSCP); -@@ -1122,6 +1137,8 @@ static void pc_compat_rhel630(QEMUMachineInitArgs *args) - enable_compat_apic_id_mode(); - x86_cpu_compat_set_features("SandyBridge", FEAT_1_ECX, - 0, CPUID_EXT_TSC_DEADLINE_TIMER); -+ x86_cpu_compat_set_features("SandyBridge-IBRS", FEAT_1_ECX, -+ 0, CPUID_EXT_TSC_DEADLINE_TIMER); - } - - static void pc_init_rhel630(QEMUMachineInitArgs *args) -diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c -index 850a25a..e6043df 100644 ---- a/hw/i386/pc_q35.c -+++ b/hw/i386/pc_q35.c -@@ -228,6 +228,7 @@ static void pc_q35_init_1_4(QEMUMachineInitArgs *args) - { - x86_cpu_compat_set_features("n270", FEAT_1_ECX, 0, CPUID_EXT_MOVBE); - x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); -+ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); - pc_q35_init_1_5(args); - } - -diff --git a/target-i386/cpu.c b/target-i386/cpu.c -index 400a7ab..9e238ba 100644 ---- a/target-i386/cpu.c -+++ b/target-i386/cpu.c -@@ -882,6 +882,31 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)", - }, - { -+ .name = "Nehalem-IBRS", -+ .level = 11, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 26, -+ .stepping = 3, -+ .features[FEAT_1_EDX] = -+ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | -+ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)", -+ }, -+ { - .name = "Westmere", - .level = 11, - .vendor = CPUID_VENDOR_INTEL, -@@ -906,6 +931,32 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)", - }, - { -+ .name = "Westmere-IBRS", -+ .level = 11, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 44, -+ .stepping = 1, -+ .features[FEAT_1_EDX] = -+ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | -+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | -+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .xlevel = 0x80000008, -+ .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)", -+ }, -+ { - .name = "SandyBridge", - .level = 0xd, - .vendor = CPUID_VENDOR_INTEL, -@@ -935,6 +986,37 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Xeon E312xx (Sandy Bridge)", - }, - { -+ .name = "SandyBridge-IBRS", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 42, -+ .stepping = 1, -+ .features[FEAT_1_EDX] = -+ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | -+ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | -+ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | -+ CPUID_EXT_SSE3, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | -+ CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Xeon E312xx (Sandy Bridge, IBRS update)", -+ }, -+ { - .name = "IvyBridge", - .level = 0xd, - .vendor = CPUID_VENDOR_INTEL, -@@ -967,6 +1049,40 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)", - }, - { -+ .name = "IvyBridge-IBRS", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 58, -+ .stepping = 9, -+ .features[FEAT_1_EDX] = -+ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | -+ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | -+ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | -+ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND, -+ .features[FEAT_7_0_EBX] = -+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP | -+ CPUID_7_0_EBX_ERMS, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | -+ CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)", -+ }, -+ { - .name = "Haswell", - .level = 0xd, - .vendor = CPUID_VENDOR_INTEL, -@@ -1002,6 +1118,43 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Core Processor (Haswell)", - }, - { -+ .name = "Haswell-IBRS", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 60, -+ .stepping = 4, -+ .features[FEAT_1_EDX] = -+ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | -+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | -+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | -+ CPUID_EXT_PCID, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | -+ CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_7_0_EBX] = -+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | -+ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | -+ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | -+ CPUID_7_0_EBX_RTM, -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Core Processor (Haswell, IBRS)", -+ }, -+ { - .name = "Broadwell", - .level = 0xd, - .vendor = CPUID_VENDOR_INTEL, -@@ -1038,6 +1191,44 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Core Processor (Broadwell)", - }, - { -+ .name = "Broadwell-IBRS", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 61, -+ .stepping = 2, -+ .features[FEAT_1_EDX] = -+ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | -+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | -+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | -+ CPUID_EXT_PCID, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | -+ CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_7_0_EBX] = -+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | -+ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | -+ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | -+ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | -+ CPUID_7_0_EBX_SMAP, -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Core Processor (Broadwell, IBRS)", -+ }, -+ { - .name = "Skylake-Client", - .level = 0xd, - .vendor = CPUID_VENDOR_INTEL, -@@ -1081,6 +1272,51 @@ static x86_def_t builtin_x86_defs[] = { - .model_id = "Intel Core Processor (Skylake)", - }, - { -+ .name = "Skylake-Client-IBRS", -+ .level = 0xd, -+ .vendor = CPUID_VENDOR_INTEL, -+ .family = 6, -+ .model = 94, -+ .stepping = 3, -+ .features[FEAT_1_EDX] = -+ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | -+ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | -+ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | -+ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | -+ CPUID_DE | CPUID_FP87, -+ .features[FEAT_1_ECX] = -+ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | -+ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | -+ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | -+ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | -+ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | -+ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, -+ .features[FEAT_8000_0001_EDX] = -+ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | -+ CPUID_EXT2_SYSCALL, -+ .features[FEAT_8000_0001_ECX] = -+ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, -+ .features[FEAT_7_0_EDX] = -+ CPUID_7_0_EDX_SPEC_CTRL, -+ .features[FEAT_7_0_EBX] = -+ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | -+ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | -+ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | -+ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | -+ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX, -+ /* Missing: XSAVES (not supported by some Linux versions, -+ * including v4.1 to v4.12). -+ * KVM doesn't yet expose any XSAVES state save component, -+ * and the only one defined in Skylake (processor tracing) -+ * probably will block migration anyway. -+ */ -+ .features[FEAT_XSAVE] = -+ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | -+ CPUID_XSAVE_XGETBV1, -+ .xlevel = 0x80000008, -+ .model_id = "Intel Core Processor (Skylake, IBRS)", -+ }, -+ { - .name = "Opteron_G1", - .level = 5, - .vendor = CPUID_VENDOR_AMD, -diff --git a/target-i386/cpu.h b/target-i386/cpu.h -index b23242d..9353b48 100644 ---- a/target-i386/cpu.h -+++ b/target-i386/cpu.h -@@ -587,6 +587,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; - - #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ - #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ -+#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */ -+ -+#define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */ - - #define CPUID_XSAVE_XSAVEOPT (1U << 0) - #define CPUID_XSAVE_XSAVEC (1U << 1) --- -1.8.3.1 - diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch deleted file mode 100644 index c1a19c2..0000000 --- a/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 0e04ead1cdde827f1c0a20f8b83c76386dbf33e2 Mon Sep 17 00:00:00 2001 -From: Eduardo Habkost -Date: Wed, 13 Dec 2017 15:42:55 -0200 -Subject: [PATCH 1/3] target-i386: cpu: add new CPUID bits for indirect branch - predictor restrictions - -RH-Author: Eduardo Habkost -Message-id: <20171213174257.20475-2-ehabkost@redhat.com> -Patchwork-id: n/a -O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 1/3] target-i386: cpu: - add new CPUID bits for indirect branch predictor restrictions -Bugzilla: CVE-2017-5715 -RH-Acked-by: Paolo Bonzini -RH-Acked-by: Miroslav Rezanina -RH-Acked-by: Wainer dos Santos Moschetta ---- - target-i386/cpu.c | 19 ++++++++++++++++++- - target-i386/cpu.h | 1 + - 2 files changed, 19 insertions(+), 1 deletion(-) - -diff --git a/target-i386/cpu.c b/target-i386/cpu.c -index ae56995..400a7ab 100644 ---- a/target-i386/cpu.c -+++ b/target-i386/cpu.c -@@ -172,6 +172,17 @@ static const char *cpuid_7_0_edx_feature_name[] = { - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, -+ NULL, NULL, "spec-ctrl", "stibp", -+ NULL, "arch-facilities", NULL, NULL, -+}; -+ -+static const char *cpuid_80000008_ebx_feature_name[] = { -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ "ibpb", NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, -+ NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - NULL, NULL, NULL, NULL, - }; -@@ -314,6 +325,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { - .cpuid_reg = R_EDX, - .tcg_features = TCG_7_0_EDX_FEATURES, - }, -+ [FEAT_8000_0008_EBX] = { -+ .feat_names = cpuid_80000008_ebx_feature_name, -+ .cpuid_eax = 0x80000008, -+ .cpuid_needs_ecx = false, .cpuid_ecx = 0, -+ .cpuid_reg = R_EBX, -+ }, - [FEAT_XSAVE] = { - .feat_names = cpuid_xsave_feature_name, - .cpuid_eax = 0xd, -@@ -2371,7 +2388,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, - *eax = 0x00000020; /* 32 bits physical */ - } - } -- *ebx = 0; -+ *ebx = env->features[FEAT_8000_0008_EBX]; - *ecx = 0; - *edx = 0; - if (cs->nr_cores * cs->nr_threads > 1) { -diff --git a/target-i386/cpu.h b/target-i386/cpu.h -index ac60309..5697dc6 100644 ---- a/target-i386/cpu.h -+++ b/target-i386/cpu.h -@@ -405,6 +405,7 @@ typedef enum FeatureWord { - FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */ - FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */ - FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */ -+ FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */ - FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */ - FEAT_KVM, /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */ - FEAT_SVM, /* CPUID[8000_000A].EDX */ --- -1.8.3.1 - diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index d7ccc69..b81495f 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 141%{?dist}.6 +Release: 141%{?dist}.5 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3626,12 +3626,6 @@ Patch1784: kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.patch Patch1785: kvm-multiboot-validate-multiboot-header-address-values.patch # For bz#1515110 - Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z] Patch1786: kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch -# For CVE-2017-5715 -Patch1787: kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch -# For CVE-2017-5715 -Patch1788: kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch -# For CVE-2017-5715 -Patch1789: kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch BuildRequires: zlib-devel @@ -5596,9 +5590,6 @@ tar -xf %{SOURCE21} %patch1784 -p1 %patch1785 -p1 %patch1786 -p1 -%patch1787 -p1 -%patch1788 -p1 -%patch1789 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6044,9 +6035,6 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog -* Thu Dec 14 2017 Miroslav Rezanina - 1.5.3-141.el7_4.6 -- Fix CVE-2017-5715 - * Wed Nov 29 2017 Miroslav Rezanina - 1.5.3-141.el7_4.5 - kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch [bz#1515110] - Resolves: bz#1515110