e90370
From 9ee392a5b6700c0aca597338106f2bd02ef9c4ec Mon Sep 17 00:00:00 2001
e90370
Message-Id: <9ee392a5b6700c0aca597338106f2bd02ef9c4ec@dist-git>
e90370
From: Jiri Denemark <jdenemar@redhat.com>
e90370
Date: Fri, 5 Apr 2019 15:11:20 +0200
e90370
Subject: [PATCH] cpu_map: Define md-clear CPUID bit
e90370
MIME-Version: 1.0
e90370
Content-Type: text/plain; charset=UTF-8
e90370
Content-Transfer-Encoding: 8bit
e90370
e90370
CVE-2018-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
e90370
e90370
The bit is set when microcode provides the mechanism to invoke a flush
e90370
of various exploitable CPU buffers by invoking the VERW instruction.
e90370
e90370
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
e90370
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
e90370
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
e90370
(cherry picked from a private commit)
e90370
e90370
Conflicts:
e90370
	src/cpu_map/x86_features.xml
e90370
            - no CPU map split downstream
e90370
e90370
	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml
e90370
	tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml
e90370
            - test data missing downstream
e90370
e90370
Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
e90370
---
e90370
 src/cpu/cpu_map.xml                                        | 3 +++
e90370
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +-
e90370
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml   | 1 +
e90370
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml    | 1 +
e90370
 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml    | 1 +
e90370
 5 files changed, 7 insertions(+), 1 deletion(-)
e90370
e90370
diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
e90370
index 095d49a69a..2f77e5cc7f 100644
e90370
--- a/src/cpu/cpu_map.xml
e90370
+++ b/src/cpu/cpu_map.xml
e90370
@@ -322,6 +322,9 @@
e90370
     <feature name='avx512-4fmaps'>
e90370
       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/>
e90370
     </feature>
e90370
+    <feature name='md-clear'> 
e90370
+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/>
e90370
+    </feature>
e90370
     <feature name='pconfig'>
e90370
       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00040000'/>
e90370
     </feature>
e90370
diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
e90370
index 0deca9fba6..74763a462b 100644
e90370
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
e90370
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml
e90370
@@ -2,7 +2,7 @@
e90370
 <cpudata arch='x86'>
e90370
   <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/>
e90370
   <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
e90370
-  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/>
e90370
+  <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/>
e90370
   <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/>
e90370
   <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/>
e90370
 </cpudata>
e90370
diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
e90370
index 70a0fc3286..867970d2c7 100644
e90370
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
e90370
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml
e90370
@@ -20,6 +20,7 @@
e90370
   <feature policy='require' name='tsc_adjust'/>
e90370
   <feature policy='require' name='clflushopt'/>
e90370
   <feature policy='require' name='intel-pt'/>
e90370
+  <feature policy='require' name='md-clear'/>
e90370
   <feature policy='require' name='stibp'/>
e90370
   <feature policy='require' name='ssbd'/>
e90370
   <feature policy='require' name='xsaves'/>
e90370
diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
e90370
index bbdfb6aa61..e7ced42797 100644
e90370
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
e90370
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml
e90370
@@ -21,6 +21,7 @@
e90370
   <feature name='tsc_adjust'/>
e90370
   <feature name='clflushopt'/>
e90370
   <feature name='intel-pt'/>
e90370
+  <feature name='md-clear'/>
e90370
   <feature name='stibp'/>
e90370
   <feature name='ssbd'/>
e90370
   <feature name='xsaves'/>
e90370
diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
e90370
index 1f321db273..a5591278df 100644
e90370
--- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
e90370
+++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml
e90370
@@ -5,6 +5,7 @@
e90370
   <feature policy='require' name='hypervisor'/>
e90370
   <feature policy='require' name='tsc_adjust'/>
e90370
   <feature policy='require' name='clflushopt'/>
e90370
+  <feature policy='require' name='md-clear'/>
e90370
   <feature policy='require' name='stibp'/>
e90370
   <feature policy='require' name='ssbd'/>
e90370
   <feature policy='require' name='pdpe1gb'/>
e90370
-- 
e90370
2.21.0
e90370