From b91dae7a8f11a5c756fdc0e6af2c5302b1735900 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrangé Date: Jun 18 2018 12:45:14 +0000 Subject: New CPU features for speculative store bypass (CVE-2018-3639) Signed-off-by: Daniel P. Berrangé --- diff --git a/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch new file mode 100644 index 0000000..00cad34 --- /dev/null +++ b/0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch @@ -0,0 +1,51 @@ +From 7920d78dc80e7206e07f2a35f942e9f33174d251 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= +Date: Mon, 21 May 2018 22:54:22 +0100 +Subject: [PATCH 1/3] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: Konrad Rzeszutek Wilk +Message-Id: <20180521215424.13520-2-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit d19d1f965904a533998739698020ff4ee8a103da) +--- + target/i386/cpu.c | 2 +- + target/i386/cpu.h | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index a20fe26573..2f5263e22f 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -510,7 +510,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, "spec-ctrl", NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, "ssbd", + }, + .cpuid_eax = 7, + .cpuid_needs_ecx = true, .cpuid_ecx = 0, +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 1b219fafc4..970ab96e54 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */ ++#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define KVM_HINTS_DEDICATED (1U << 0) + +-- +2.17.0 + diff --git a/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch b/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch new file mode 100644 index 0000000..4fc3e74 --- /dev/null +++ b/0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch @@ -0,0 +1,148 @@ +From 70913a1bded444b1d264c3723fca2f6a7966d667 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 21 May 2018 22:54:24 +0100 +Subject: [PATCH 2/3] i386: Define the Virt SSBD MSR and handling of it + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"Some AMD processors only support a non-architectural means of enabling +speculative store bypass disable (SSBD). To allow a simplified view of +this to a guest, an architectural definition has been created through a new +CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a +hypervisor can virtualize the existence of this definition and provide an +architectural method for using SSBD to a guest. + +Add the new CPUID feature, the new MSR and update the existing SSBD +support to use this MSR when present." (from x86/speculation: Add virtualized +speculative store bypass disable support in Linux). + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-4-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff) +--- + target/i386/cpu.h | 2 ++ + target/i386/kvm.c | 16 ++++++++++++++-- + target/i386/machine.c | 20 ++++++++++++++++++++ + 3 files changed, 36 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.h b/target/i386/cpu.h +index 970ab96e54..75e821cefe 100644 +--- a/target/i386/cpu.h ++++ b/target/i386/cpu.h +@@ -351,6 +351,7 @@ typedef enum X86Seg { + #define MSR_IA32_FEATURE_CONTROL 0x0000003a + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 ++#define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define FEATURE_CONTROL_LOCKED (1<<0) +@@ -1150,6 +1151,7 @@ typedef struct CPUX86State { + uint32_t pkru; + + uint64_t spec_ctrl; ++ uint64_t virt_ssbd; + + /* End of state preserved by INIT (dummy marker). */ + struct {} end_init_save; +diff --git a/target/i386/kvm.c b/target/i386/kvm.c +index 6c49954e68..19e6aa320d 100644 +--- a/target/i386/kvm.c ++++ b/target/i386/kvm.c +@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer; + static bool has_msr_hv_frequencies; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_virt_ssbd; + static bool has_msr_smi_count; + + static uint32_t has_architectural_pmu_version; +@@ -1218,6 +1219,9 @@ static int kvm_get_supported_msrs(KVMState *s) + case MSR_IA32_SPEC_CTRL: + has_msr_spec_ctrl = true; + break; ++ case MSR_VIRT_SSBD: ++ has_msr_virt_ssbd = true; ++ break; + } + } + } +@@ -1706,6 +1710,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd); ++ } ++ + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar); +@@ -2077,8 +2085,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0); + } +- +- ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0); ++ } + if (!env->tsc_valid) { + kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0); + env->tsc_valid = !runstate_is_running(); +@@ -2444,6 +2453,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_VIRT_SSBD: ++ env->virt_ssbd = msrs[i].data; ++ break; + case MSR_IA32_RTIT_CTL: + env->msr_rtit_ctrl = msrs[i].data; + break; +diff --git a/target/i386/machine.c b/target/i386/machine.c +index bd2d82e91b..f0a835c292 100644 +--- a/target/i386/machine.c ++++ b/target/i386/machine.c +@@ -893,6 +893,25 @@ static const VMStateDescription vmstate_msr_intel_pt = { + } + }; + ++static bool virt_ssbd_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->virt_ssbd != 0; ++} ++ ++static const VMStateDescription vmstate_msr_virt_ssbd = { ++ .name = "cpu/virt_ssbd", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .needed = virt_ssbd_needed, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.virt_ssbd, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -1015,6 +1034,7 @@ VMStateDescription vmstate_x86_cpu = { + &vmstate_spec_ctrl, + &vmstate_mcg_ext_ctl, + &vmstate_msr_intel_pt, ++ &vmstate_msr_virt_ssbd, + NULL + } + }; +-- +2.17.0 + diff --git a/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch b/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch new file mode 100644 index 0000000..09f7116 --- /dev/null +++ b/0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch @@ -0,0 +1,41 @@ +From f956cd4aed74d55ecc03d3c33ea66b1d933cb28f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Mon, 21 May 2018 22:54:23 +0100 +Subject: [PATCH 3/3] i386: define the AMD 'virt-ssbd' CPUID feature bit + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable +via the 0x80000008_EBX[25] CPUID feature bit. + +This needs to be exposed to guest OS to allow them to protect +against CVE-2018-3639. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-3-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 403503b162ffc33fb64cfefdf7b880acf41772cd) +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 2f5263e22f..2e305ab689 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -541,7 +541,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "ibpb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }, + .cpuid_eax = 0x80000008, +-- +2.17.0 + diff --git a/qemu.spec b/qemu.spec index 355eac2..73c416e 100644 --- a/qemu.spec +++ b/qemu.spec @@ -104,7 +104,7 @@ Requires: %{name}-ui-sdl = %{epoch}:%{version}-%{release} Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.12.0 -Release: 2%{?rcrel}%{?dist} +Release: 3%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY URL: http://www.qemu.org/ @@ -140,6 +140,12 @@ Source22: 95-kvm-ppc64-memlock.conf # Fix qxl memslot_get_virt crashes (bz #1565354) Patch0001: 0001-qxl-fix-local-renderer-crash.patch +Patch0002: 0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch +Patch0003: 0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch +Patch0004: 0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch + + + # documentation deps BuildRequires: texinfo # For /usr/bin/pod2man @@ -1666,6 +1672,9 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Jun 18 2018 Daniel P. Berrangé - 2:2.12.0-3 +- New CPU features for speculative store bypass (CVE-2018-3639) + * Tue Jun 05 2018 Cole Robinson - 2:2.12.0-2 - Fix qxl memslot_get_virt crashes (bz #1565354)