diff --git a/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch b/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
new file mode 100644
index 0000000..b8df930
--- /dev/null
+++ b/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
@@ -0,0 +1,152 @@
+From 6d0877d3a5dff82b854a7eee38ef7558dfa1d4ef Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 13 Dec 2017 15:42:56 -0200
+Subject: [PATCH 2/3] target-i386: add support for SPEC_CTRL MSR
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20171213174257.20475-3-ehabkost@redhat.com>
+Patchwork-id: n/a
+O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 2/3] target-i386: add
+ support for SPEC_CTRL MSR
+Bugzilla: CVE-2017-5715
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
+---
+ target-i386/cpu.h | 4 ++++
+ target-i386/kvm.c | 15 +++++++++++++++
+ target-i386/machine.c | 21 +++++++++++++++++++++
+ 3 files changed, 40 insertions(+)
+
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index 5697dc6..b23242d 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -304,6 +304,7 @@
+ #define MSR_IA32_APICBASE_ENABLE (1<<11)
+ #define MSR_IA32_APICBASE_BASE (0xfffff<<12)
+ #define MSR_TSC_ADJUST 0x0000003b
++#define MSR_IA32_SPEC_CTRL 0x48
+ #define MSR_IA32_TSCDEADLINE 0x6e0
+
+ #define MSR_P6_PERFCTR0 0xc1
+@@ -958,6 +959,7 @@ typedef struct CPUX86State {
+ uint64_t msr_fixed_counters[MAX_FIXED_COUNTERS];
+ uint64_t msr_gp_counters[MAX_GP_COUNTERS];
+ uint64_t msr_gp_evtsel[MAX_GP_COUNTERS];
++
+ uint64_t msr_hv_hypercall;
+ uint64_t msr_hv_guest_os_id;
+ uint64_t msr_hv_vapic;
+@@ -1030,6 +1032,8 @@ typedef struct CPUX86State {
+ uint64_t xcr0;
+ uint64_t xss;
+
++ uint64_t spec_ctrl;
++
+ TPRAccess tpr_access_type;
+ } CPUX86State;
+
+diff --git a/target-i386/kvm.c b/target-i386/kvm.c
+index 6a479f4..ff58314 100644
+--- a/target-i386/kvm.c
++++ b/target-i386/kvm.c
+@@ -77,6 +77,7 @@ static bool has_msr_hv_vapic;
+ static bool has_msr_hv_tsc;
+ static bool has_msr_mtrr;
+ static bool has_msr_xss;
++static bool has_msr_spec_ctrl;
+
+ static bool has_msr_architectural_pmu;
+ static uint32_t num_architectural_pmu_counters;
+@@ -800,6 +801,10 @@ static int kvm_get_supported_msrs(KVMState *s)
+ has_msr_xss = true;
+ continue;
+ }
++ if (kvm_msr_list->indices[i] == MSR_IA32_SPEC_CTRL) {
++ has_msr_spec_ctrl = true;
++ continue;
++ }
+ }
+ }
+
+@@ -1185,6 +1190,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ if (has_msr_xss) {
+ kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss);
+ }
++ if (has_msr_spec_ctrl) {
++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl);
++ }
+ #ifdef TARGET_X86_64
+ if (lm_capable_kernel) {
+ kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar);
+@@ -1193,6 +1201,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
+ kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar);
+ }
+ #endif
++
+ if (level == KVM_PUT_FULL_STATE) {
+ /*
+ * KVM is yet unable to synchronize TSC values of multiple VCPUs on
+@@ -1541,6 +1550,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+ if (has_msr_xss) {
+ msrs[n++].index = MSR_IA32_XSS;
+ }
++ if (has_msr_spec_ctrl) {
++ msrs[n++].index = MSR_IA32_SPEC_CTRL;
++ }
+
+
+ if (!env->tsc_valid) {
+@@ -1783,6 +1795,9 @@ static int kvm_get_msrs(X86CPU *cpu)
+ env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data;
+ }
+ break;
++ case MSR_IA32_SPEC_CTRL:
++ env->spec_ctrl = msrs[i].data;
++ break;
+ }
+ }
+
+diff --git a/target-i386/machine.c b/target-i386/machine.c
+index ce7fcd3..4092cae 100644
+--- a/target-i386/machine.c
++++ b/target-i386/machine.c
+@@ -722,6 +722,24 @@ static const VMStateDescription vmstate_xss = {
+ }
+ };
+
++static bool spec_ctrl_needed(void *opaque)
++{
++ X86CPU *cpu = opaque;
++ CPUX86State *env = &cpu->env;
++
++ return env->spec_ctrl != 0;
++}
++
++static const VMStateDescription vmstate_spec_ctrl = {
++ .name = "cpu/spec_ctrl",
++ .version_id = 1,
++ .minimum_version_id = 1,
++ .fields = (VMStateField[]){
++ VMSTATE_UINT64(env.spec_ctrl, X86CPU),
++ VMSTATE_END_OF_LIST()
++ }
++};
++
+ const VMStateDescription vmstate_x86_cpu = {
+ .name = "cpu",
+ .version_id = 12,
+@@ -871,6 +889,9 @@ const VMStateDescription vmstate_x86_cpu = {
+ }, {
+ .vmsd = &vmstate_xss,
+ .needed = xss_needed,
++ }, {
++ .vmsd = &vmstate_spec_ctrl,
++ .needed = spec_ctrl_needed,
+ } , {
+ /* empty */
+ }
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch
new file mode 100644
index 0000000..5ce64cc
--- /dev/null
+++ b/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch
@@ -0,0 +1,411 @@
+From d4caecffd38c2a9c16ea717e9c863d3214093b32 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 13 Dec 2017 15:42:57 -0200
+Subject: [PATCH 3/3] target-i386: cpu: add new CPU models for indirect branch
+ predictor restrictions
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20171213174257.20475-4-ehabkost@redhat.com>
+Patchwork-id: n/a
+O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 3/3] target-i386: cpu: add
+ new CPU models for indirect branch predictor restrictions
+Bugzilla: CVE-2017-5715
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
+
+To ensure the New CPU models won't introduce any unexpected
+changes except for the spec-ctrl feature (even if people are
+running older machine-types), copy all compat_props entries for
+existing CPU models to their *-IBRS versions.
+
+The only entries that are not being copied are the ones touching
+"(min-)level" and "(min-)xlevel" because it's an expected result
+of the CPU model change (otherwise the spec-ctrl feature would
+remain unavailable to the guest).
+
+The entries that had to be copied can be found using:
+ $ git grep -E 'Nehalem|Westmere|SandyBridge|IvyBridge|Haswell-noTSX|Haswell|Broadwell-noTSX|Broadwell|Skylake-Client|Skylake-Server|EPYC'
+
+Note that the upstream-only PC_COMPAT_* macros are not being
+touched as they are not used by the RHEL machine-types.
+---
+ hw/i386/pc_piix.c | 17 ++++
+ hw/i386/pc_q35.c | 1 +
+ target-i386/cpu.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ target-i386/cpu.h | 3 +
+ 4 files changed, 257 insertions(+)
+
+diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c
+index b043124..c53a6d4 100644
+--- a/hw/i386/pc_piix.c
++++ b/hw/i386/pc_piix.c
+@@ -753,7 +753,9 @@ static void pc_compat_rhel700(QEMUMachineInitArgs *args)
+ x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
++ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ /* SandyBridge and Haswell already have x2apic enabled */
+ x86_cpu_compat_set_features("Opteron_G1", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Opteron_G2", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+@@ -928,18 +930,31 @@ static void pc_compat_rhel660(QEMUMachineInitArgs *args)
+ x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
++ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0);
+ x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
+ x86_cpu_compat_set_features("Westmere", FEAT_8000_0001_EDX,
+ CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT |
+ CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC |
+ CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR |
+ CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU,
+ 0);
++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_8000_0001_EDX,
++ CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT |
++ CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC |
++ CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR |
++ CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU,
++ 0);
+ x86_cpu_compat_set_features("Broadwell", FEAT_8000_0001_EDX,
+ 0, CPUID_EXT2_RDTSCP);
++ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_8000_0001_EDX,
++ 0, CPUID_EXT2_RDTSCP);
+ x86_cpu_compat_set_features("Broadwell", FEAT_7_0_EBX,
+ 0, CPUID_7_0_EBX_SMAP);
++ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_7_0_EBX,
++ 0, CPUID_7_0_EBX_SMAP);
+
+ /* RHEL-6 kernel never supported exposing RDTSCP */
+ x86_cpu_compat_set_features(NULL, FEAT_8000_0001_EDX, 0, CPUID_EXT2_RDTSCP);
+@@ -1122,6 +1137,8 @@ static void pc_compat_rhel630(QEMUMachineInitArgs *args)
+ enable_compat_apic_id_mode();
+ x86_cpu_compat_set_features("SandyBridge", FEAT_1_ECX,
+ 0, CPUID_EXT_TSC_DEADLINE_TIMER);
++ x86_cpu_compat_set_features("SandyBridge-IBRS", FEAT_1_ECX,
++ 0, CPUID_EXT_TSC_DEADLINE_TIMER);
+ }
+
+ static void pc_init_rhel630(QEMUMachineInitArgs *args)
+diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c
+index 850a25a..e6043df 100644
+--- a/hw/i386/pc_q35.c
++++ b/hw/i386/pc_q35.c
+@@ -228,6 +228,7 @@ static void pc_q35_init_1_4(QEMUMachineInitArgs *args)
+ {
+ x86_cpu_compat_set_features("n270", FEAT_1_ECX, 0, CPUID_EXT_MOVBE);
+ x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ);
+ pc_q35_init_1_5(args);
+ }
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index 400a7ab..9e238ba 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -882,6 +882,31 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)",
+ },
+ {
++ .name = "Nehalem-IBRS",
++ .level = 11,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 26,
++ .stepping = 3,
++ .features[FEAT_1_EDX] =
++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)",
++ },
++ {
+ .name = "Westmere",
+ .level = 11,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -906,6 +931,32 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)",
+ },
+ {
++ .name = "Westmere-IBRS",
++ .level = 11,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 44,
++ .stepping = 1,
++ .features[FEAT_1_EDX] =
++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 |
++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .xlevel = 0x80000008,
++ .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)",
++ },
++ {
+ .name = "SandyBridge",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -935,6 +986,37 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Xeon E312xx (Sandy Bridge)",
+ },
+ {
++ .name = "SandyBridge-IBRS",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 42,
++ .stepping = 1,
++ .features[FEAT_1_EDX] =
++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
++ CPUID_EXT_SSE3,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Xeon E312xx (Sandy Bridge, IBRS update)",
++ },
++ {
+ .name = "IvyBridge",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -967,6 +1049,40 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)",
+ },
+ {
++ .name = "IvyBridge-IBRS",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 58,
++ .stepping = 9,
++ .features[FEAT_1_EDX] =
++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT |
++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 |
++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ |
++ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_ERMS,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)",
++ },
++ {
+ .name = "Haswell",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -1002,6 +1118,43 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Core Processor (Haswell)",
+ },
+ {
++ .name = "Haswell-IBRS",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 60,
++ .stepping = 4,
++ .features[FEAT_1_EDX] =
++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
++ CPUID_EXT_PCID,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
++ CPUID_7_0_EBX_RTM,
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Core Processor (Haswell, IBRS)",
++ },
++ {
+ .name = "Broadwell",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -1038,6 +1191,44 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Core Processor (Broadwell)",
+ },
+ {
++ .name = "Broadwell-IBRS",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 61,
++ .stepping = 2,
++ .features[FEAT_1_EDX] =
++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
++ CPUID_EXT_PCID,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
++ CPUID_7_0_EBX_SMAP,
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Core Processor (Broadwell, IBRS)",
++ },
++ {
+ .name = "Skylake-Client",
+ .level = 0xd,
+ .vendor = CPUID_VENDOR_INTEL,
+@@ -1081,6 +1272,51 @@ static x86_def_t builtin_x86_defs[] = {
+ .model_id = "Intel Core Processor (Skylake)",
+ },
+ {
++ .name = "Skylake-Client-IBRS",
++ .level = 0xd,
++ .vendor = CPUID_VENDOR_INTEL,
++ .family = 6,
++ .model = 94,
++ .stepping = 3,
++ .features[FEAT_1_EDX] =
++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX |
++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA |
++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 |
++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE |
++ CPUID_DE | CPUID_FP87,
++ .features[FEAT_1_ECX] =
++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES |
++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 |
++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 |
++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 |
++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE |
++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND,
++ .features[FEAT_8000_0001_EDX] =
++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX |
++ CPUID_EXT2_SYSCALL,
++ .features[FEAT_8000_0001_ECX] =
++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH,
++ .features[FEAT_7_0_EDX] =
++ CPUID_7_0_EDX_SPEC_CTRL,
++ .features[FEAT_7_0_EBX] =
++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 |
++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP |
++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID |
++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX |
++ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX,
++ /* Missing: XSAVES (not supported by some Linux versions,
++ * including v4.1 to v4.12).
++ * KVM doesn't yet expose any XSAVES state save component,
++ * and the only one defined in Skylake (processor tracing)
++ * probably will block migration anyway.
++ */
++ .features[FEAT_XSAVE] =
++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC |
++ CPUID_XSAVE_XGETBV1,
++ .xlevel = 0x80000008,
++ .model_id = "Intel Core Processor (Skylake, IBRS)",
++ },
++ {
+ .name = "Opteron_G1",
+ .level = 5,
+ .vendor = CPUID_VENDOR_AMD,
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index b23242d..9353b48 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -587,6 +587,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
+
+ #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
+ #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
++#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */
++
++#define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */
+
+ #define CPUID_XSAVE_XSAVEOPT (1U << 0)
+ #define CPUID_XSAVE_XSAVEC (1U << 1)
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch
new file mode 100644
index 0000000..c1a19c2
--- /dev/null
+++ b/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch
@@ -0,0 +1,79 @@
+From 0e04ead1cdde827f1c0a20f8b83c76386dbf33e2 Mon Sep 17 00:00:00 2001
+From: Eduardo Habkost <ehabkost@redhat.com>
+Date: Wed, 13 Dec 2017 15:42:55 -0200
+Subject: [PATCH 1/3] target-i386: cpu: add new CPUID bits for indirect branch
+ predictor restrictions
+
+RH-Author: Eduardo Habkost <ehabkost@redhat.com>
+Message-id: <20171213174257.20475-2-ehabkost@redhat.com>
+Patchwork-id: n/a
+O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 1/3] target-i386: cpu:
+ add new CPUID bits for indirect branch predictor restrictions
+Bugzilla: CVE-2017-5715
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
+---
+ target-i386/cpu.c | 19 ++++++++++++++++++-
+ target-i386/cpu.h | 1 +
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/target-i386/cpu.c b/target-i386/cpu.c
+index ae56995..400a7ab 100644
+--- a/target-i386/cpu.c
++++ b/target-i386/cpu.c
+@@ -172,6 +172,17 @@ static const char *cpuid_7_0_edx_feature_name[] = {
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
++ NULL, NULL, "spec-ctrl", "stibp",
++ NULL, "arch-facilities", NULL, NULL,
++};
++
++static const char *cpuid_80000008_ebx_feature_name[] = {
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ "ibpb", NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
++ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, NULL,
+ };
+@@ -314,6 +325,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
+ .cpuid_reg = R_EDX,
+ .tcg_features = TCG_7_0_EDX_FEATURES,
+ },
++ [FEAT_8000_0008_EBX] = {
++ .feat_names = cpuid_80000008_ebx_feature_name,
++ .cpuid_eax = 0x80000008,
++ .cpuid_needs_ecx = false, .cpuid_ecx = 0,
++ .cpuid_reg = R_EBX,
++ },
+ [FEAT_XSAVE] = {
+ .feat_names = cpuid_xsave_feature_name,
+ .cpuid_eax = 0xd,
+@@ -2371,7 +2388,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count,
+ *eax = 0x00000020; /* 32 bits physical */
+ }
+ }
+- *ebx = 0;
++ *ebx = env->features[FEAT_8000_0008_EBX];
+ *ecx = 0;
+ *edx = 0;
+ if (cs->nr_cores * cs->nr_threads > 1) {
+diff --git a/target-i386/cpu.h b/target-i386/cpu.h
+index ac60309..5697dc6 100644
+--- a/target-i386/cpu.h
++++ b/target-i386/cpu.h
+@@ -405,6 +405,7 @@ typedef enum FeatureWord {
+ FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */
+ FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */
+ FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */
++ FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */
+ FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */
+ FEAT_KVM, /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */
+ FEAT_SVM, /* CPUID[8000_000A].EDX */
+--
+1.8.3.1
+
diff --git a/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch b/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch
new file mode 100644
index 0000000..8b84636
--- /dev/null
+++ b/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch
@@ -0,0 +1,61 @@
+From daa0c48addc50413b79612d9e7251a9cbf35af48 Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Mon, 20 Nov 2017 16:21:44 +0100
+Subject: [PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions
+
+RH-Author: Alex Williamson <alex.williamson@redhat.com>
+Message-id: <20171120162044.30263.60064.stgit@gimli.home>
+Patchwork-id: 77755
+O-Subject: [RHEL-7.4.z qemu-kvm PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions
+Bugzilla: 1515110
+RH-Acked-by: Paolo Bonzini <pbonzini@redhat.com>
+RH-Acked-by: Thomas Huth <thuth@redhat.com>
+RH-Acked-by: Auger Eric <eric.auger@redhat.com>
+
+Upstream Status: RHEL-only (very small subset of db0da029a185)
+Tested: Teradici USB assignment
+
+Upstream kernel commit 05f0c03fbac1 ('vfio-pci: Allow to mmap sub-page
+MMIO BARs if the mmio page is exclusive') [RHEL-7.4 390f15a45024] allows
+vfio-pci to expose the VFIO_REGION_INFO_FLAG_MMAP flag, indicating the
+region can be mmap'd, for sub-page PCI BARs iff the BAR is page aligned
+and the remainder of the page can be reserved to ensure that it's not
+used for other purposes. Unfortunately QEMU versions prior to v2.6.0
+blindly accept the MMAP flag with no special handling of these sub-page
+mmaps. This went unnoticed upstream, but was inadvertently fixed by
+commit db0da029a185 ('vfio: Generalize region support') which ensures
+that the region size is a multiple of page size. This returns us to
+the previous behavior where sub-page regions are not mmap'd, even though
+the kernel now allows it. This QEMU commit has since been picked up in
+qemu-kvm with the backport of the above as a33e922436f7. qemu-kvm-rhev
+has had this support since RHEL-7.3. Furthermore, upstream commit
+95251725e335 ('vfio: Add support for mmapping sub-page MMIO BARs')
+allows QEMU to fully make use of these sub-page mmaps. qemu-kvm-rhev
+acquired this capability in the RHEL-7.4 rebase.
+
+Here we extract only the portion of db0da029a185 which excludes sub-page
+regions from being mmap'd.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Miroslav Rezanina <mrezanin@redhat.com>
+---
+ hw/misc/vfio.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c
+index 4fdc09a..adfefec 100644
+--- a/hw/misc/vfio.c
++++ b/hw/misc/vfio.c
+@@ -2576,7 +2576,8 @@ static int vfio_mmap_bar(VFIOBAR *bar, MemoryRegion *mem, MemoryRegion *submem,
+ {
+ int ret = 0;
+
+- if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP) {
++ if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP &&
++ !(size & ~TARGET_PAGE_MASK)) {
+ int prot = 0;
+
+ if (bar->flags & VFIO_REGION_INFO_FLAG_READ) {
+--
+1.8.3.1
+
diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec
index ec913ee..d7ccc69 100644
--- a/SPECS/qemu-kvm.spec
+++ b/SPECS/qemu-kvm.spec
@@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \
Summary: QEMU is a machine emulator and virtualizer
Name: %{pkgname}%{?pkgsuffix}
Version: 1.5.3
-Release: 141%{?dist}.4
+Release: 141%{?dist}.6
# Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped
Epoch: 10
License: GPLv2+ and LGPLv2+ and BSD
@@ -3624,6 +3624,14 @@ Patch1783: kvm-vga-handle-cirrus-vbe-mode-wraparounds.patch
Patch1784: kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.patch
# For bz#1501120 - CVE-2017-14167 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.4.z]
Patch1785: kvm-multiboot-validate-multiboot-header-address-values.patch
+# For bz#1515110 - Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z]
+Patch1786: kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch
+# For CVE-2017-5715
+Patch1787: kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch
+# For CVE-2017-5715
+Patch1788: kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
+# For CVE-2017-5715
+Patch1789: kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch
BuildRequires: zlib-devel
@@ -5587,6 +5595,10 @@ tar -xf %{SOURCE21}
%patch1783 -p1
%patch1784 -p1
%patch1785 -p1
+%patch1786 -p1
+%patch1787 -p1
+%patch1788 -p1
+%patch1789 -p1
%build
buildarch="%{kvm_target}-softmmu"
@@ -6032,6 +6044,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || :
%{_mandir}/man8/qemu-nbd.8*
%changelog
+* Thu Dec 14 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.6
+- Fix CVE-2017-5715
+
+* Wed Nov 29 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.5
+- kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch [bz#1515110]
+- Resolves: bz#1515110
+ (Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z])
+
* Fri Nov 10 2017 Miroslav Rezanina <mrezanin@redhat.com> - 1.5.3-141.el7_4.4
- kvm-multiboot-validate-multiboot-header-address-values.patch [bz#1501120]
- Resolves: bz#1501120