diff --git a/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch b/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch new file mode 100644 index 0000000..b8df930 --- /dev/null +++ b/SOURCES/kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch @@ -0,0 +1,152 @@ +From 6d0877d3a5dff82b854a7eee38ef7558dfa1d4ef Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 13 Dec 2017 15:42:56 -0200 +Subject: [PATCH 2/3] target-i386: add support for SPEC_CTRL MSR + +RH-Author: Eduardo Habkost +Message-id: <20171213174257.20475-3-ehabkost@redhat.com> +Patchwork-id: n/a +O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 2/3] target-i386: add + support for SPEC_CTRL MSR +Bugzilla: CVE-2017-5715 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Wainer dos Santos Moschetta +--- + target-i386/cpu.h | 4 ++++ + target-i386/kvm.c | 15 +++++++++++++++ + target-i386/machine.c | 21 +++++++++++++++++++++ + 3 files changed, 40 insertions(+) + +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index 5697dc6..b23242d 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -304,6 +304,7 @@ + #define MSR_IA32_APICBASE_ENABLE (1<<11) + #define MSR_IA32_APICBASE_BASE (0xfffff<<12) + #define MSR_TSC_ADJUST 0x0000003b ++#define MSR_IA32_SPEC_CTRL 0x48 + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define MSR_P6_PERFCTR0 0xc1 +@@ -958,6 +959,7 @@ typedef struct CPUX86State { + uint64_t msr_fixed_counters[MAX_FIXED_COUNTERS]; + uint64_t msr_gp_counters[MAX_GP_COUNTERS]; + uint64_t msr_gp_evtsel[MAX_GP_COUNTERS]; ++ + uint64_t msr_hv_hypercall; + uint64_t msr_hv_guest_os_id; + uint64_t msr_hv_vapic; +@@ -1030,6 +1032,8 @@ typedef struct CPUX86State { + uint64_t xcr0; + uint64_t xss; + ++ uint64_t spec_ctrl; ++ + TPRAccess tpr_access_type; + } CPUX86State; + +diff --git a/target-i386/kvm.c b/target-i386/kvm.c +index 6a479f4..ff58314 100644 +--- a/target-i386/kvm.c ++++ b/target-i386/kvm.c +@@ -77,6 +77,7 @@ static bool has_msr_hv_vapic; + static bool has_msr_hv_tsc; + static bool has_msr_mtrr; + static bool has_msr_xss; ++static bool has_msr_spec_ctrl; + + static bool has_msr_architectural_pmu; + static uint32_t num_architectural_pmu_counters; +@@ -800,6 +801,10 @@ static int kvm_get_supported_msrs(KVMState *s) + has_msr_xss = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_IA32_SPEC_CTRL) { ++ has_msr_spec_ctrl = true; ++ continue; ++ } + } + } + +@@ -1185,6 +1190,9 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_xss) { + kvm_msr_entry_set(&msrs[n++], MSR_IA32_XSS, env->xss); + } ++ if (has_msr_spec_ctrl) { ++ kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl); ++ } + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar); +@@ -1193,6 +1201,7 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + kvm_msr_entry_set(&msrs[n++], MSR_LSTAR, env->lstar); + } + #endif ++ + if (level == KVM_PUT_FULL_STATE) { + /* + * KVM is yet unable to synchronize TSC values of multiple VCPUs on +@@ -1541,6 +1550,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_xss) { + msrs[n++].index = MSR_IA32_XSS; + } ++ if (has_msr_spec_ctrl) { ++ msrs[n++].index = MSR_IA32_SPEC_CTRL; ++ } + + + if (!env->tsc_valid) { +@@ -1783,6 +1795,9 @@ static int kvm_get_msrs(X86CPU *cpu) + env->mtrr_var[MSR_MTRRphysIndex(index)].base = msrs[i].data; + } + break; ++ case MSR_IA32_SPEC_CTRL: ++ env->spec_ctrl = msrs[i].data; ++ break; + } + } + +diff --git a/target-i386/machine.c b/target-i386/machine.c +index ce7fcd3..4092cae 100644 +--- a/target-i386/machine.c ++++ b/target-i386/machine.c +@@ -722,6 +722,24 @@ static const VMStateDescription vmstate_xss = { + } + }; + ++static bool spec_ctrl_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->spec_ctrl != 0; ++} ++ ++static const VMStateDescription vmstate_spec_ctrl = { ++ .name = "cpu/spec_ctrl", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.spec_ctrl, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + const VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -871,6 +889,9 @@ const VMStateDescription vmstate_x86_cpu = { + }, { + .vmsd = &vmstate_xss, + .needed = xss_needed, ++ }, { ++ .vmsd = &vmstate_spec_ctrl, ++ .needed = spec_ctrl_needed, + } , { + /* empty */ + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch new file mode 100644 index 0000000..5ce64cc --- /dev/null +++ b/SOURCES/kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch @@ -0,0 +1,411 @@ +From d4caecffd38c2a9c16ea717e9c863d3214093b32 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 13 Dec 2017 15:42:57 -0200 +Subject: [PATCH 3/3] target-i386: cpu: add new CPU models for indirect branch + predictor restrictions + +RH-Author: Eduardo Habkost +Message-id: <20171213174257.20475-4-ehabkost@redhat.com> +Patchwork-id: n/a +O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 3/3] target-i386: cpu: add + new CPU models for indirect branch predictor restrictions +Bugzilla: CVE-2017-5715 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Wainer dos Santos Moschetta + +To ensure the New CPU models won't introduce any unexpected +changes except for the spec-ctrl feature (even if people are +running older machine-types), copy all compat_props entries for +existing CPU models to their *-IBRS versions. + +The only entries that are not being copied are the ones touching +"(min-)level" and "(min-)xlevel" because it's an expected result +of the CPU model change (otherwise the spec-ctrl feature would +remain unavailable to the guest). + +The entries that had to be copied can be found using: + $ git grep -E 'Nehalem|Westmere|SandyBridge|IvyBridge|Haswell-noTSX|Haswell|Broadwell-noTSX|Broadwell|Skylake-Client|Skylake-Server|EPYC' + +Note that the upstream-only PC_COMPAT_* macros are not being +touched as they are not used by the RHEL machine-types. +--- + hw/i386/pc_piix.c | 17 ++++ + hw/i386/pc_q35.c | 1 + + target-i386/cpu.c | 236 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ + target-i386/cpu.h | 3 + + 4 files changed, 257 insertions(+) + +diff --git a/hw/i386/pc_piix.c b/hw/i386/pc_piix.c +index b043124..c53a6d4 100644 +--- a/hw/i386/pc_piix.c ++++ b/hw/i386/pc_piix.c +@@ -753,7 +753,9 @@ static void pc_compat_rhel700(QEMUMachineInitArgs *args) + x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); ++ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); ++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + /* SandyBridge and Haswell already have x2apic enabled */ + x86_cpu_compat_set_features("Opteron_G1", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Opteron_G2", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); +@@ -928,18 +930,31 @@ static void pc_compat_rhel660(QEMUMachineInitArgs *args) + x86_cpu_compat_set_features("Conroe", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Penryn", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Nehalem", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); ++ x86_cpu_compat_set_features("Nehalem-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); ++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, CPUID_EXT_X2APIC, 0); + x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); ++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); + x86_cpu_compat_set_features("Westmere", FEAT_8000_0001_EDX, + CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT | + CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC | + CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR | + CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU, + 0); ++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_8000_0001_EDX, ++ CPUID_EXT2_FXSR | CPUID_EXT2_MMX | CPUID_EXT2_PAT | ++ CPUID_EXT2_CMOV | CPUID_EXT2_PGE | CPUID_EXT2_APIC | ++ CPUID_EXT2_CX8 | CPUID_EXT2_MCE | CPUID_EXT2_PAE | CPUID_EXT2_MSR | ++ CPUID_EXT2_TSC | CPUID_EXT2_PSE | CPUID_EXT2_DE | CPUID_EXT2_FPU, ++ 0); + x86_cpu_compat_set_features("Broadwell", FEAT_8000_0001_EDX, + 0, CPUID_EXT2_RDTSCP); ++ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_8000_0001_EDX, ++ 0, CPUID_EXT2_RDTSCP); + x86_cpu_compat_set_features("Broadwell", FEAT_7_0_EBX, + 0, CPUID_7_0_EBX_SMAP); ++ x86_cpu_compat_set_features("Broadwell-IBRS", FEAT_7_0_EBX, ++ 0, CPUID_7_0_EBX_SMAP); + + /* RHEL-6 kernel never supported exposing RDTSCP */ + x86_cpu_compat_set_features(NULL, FEAT_8000_0001_EDX, 0, CPUID_EXT2_RDTSCP); +@@ -1122,6 +1137,8 @@ static void pc_compat_rhel630(QEMUMachineInitArgs *args) + enable_compat_apic_id_mode(); + x86_cpu_compat_set_features("SandyBridge", FEAT_1_ECX, + 0, CPUID_EXT_TSC_DEADLINE_TIMER); ++ x86_cpu_compat_set_features("SandyBridge-IBRS", FEAT_1_ECX, ++ 0, CPUID_EXT_TSC_DEADLINE_TIMER); + } + + static void pc_init_rhel630(QEMUMachineInitArgs *args) +diff --git a/hw/i386/pc_q35.c b/hw/i386/pc_q35.c +index 850a25a..e6043df 100644 +--- a/hw/i386/pc_q35.c ++++ b/hw/i386/pc_q35.c +@@ -228,6 +228,7 @@ static void pc_q35_init_1_4(QEMUMachineInitArgs *args) + { + x86_cpu_compat_set_features("n270", FEAT_1_ECX, 0, CPUID_EXT_MOVBE); + x86_cpu_compat_set_features("Westmere", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); ++ x86_cpu_compat_set_features("Westmere-IBRS", FEAT_1_ECX, 0, CPUID_EXT_PCLMULQDQ); + pc_q35_init_1_5(args); + } + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 400a7ab..9e238ba 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -882,6 +882,31 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Core i7 9xx (Nehalem Class Core i7)", + }, + { ++ .name = "Nehalem-IBRS", ++ .level = 11, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 26, ++ .stepping = 3, ++ .features[FEAT_1_EDX] = ++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_SSE3, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core i7 9xx (Nehalem Core i7, IBRS update)", ++ }, ++ { + .name = "Westmere", + .level = 11, + .vendor = CPUID_VENDOR_INTEL, +@@ -906,6 +931,32 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Westmere E56xx/L56xx/X56xx (Nehalem-C)", + }, + { ++ .name = "Westmere-IBRS", ++ .level = 11, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 44, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AES | CPUID_EXT_POPCNT | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_SYSCALL | CPUID_EXT2_NX, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .xlevel = 0x80000008, ++ .model_id = "Westmere E56xx/L56xx/X56xx (IBRS update)", ++ }, ++ { + .name = "SandyBridge", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -935,6 +986,37 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Xeon E312xx (Sandy Bridge)", + }, + { ++ .name = "SandyBridge-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 42, ++ .stepping = 1, ++ .features[FEAT_1_EDX] = ++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | ++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | ++ CPUID_EXT_SSE3, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon E312xx (Sandy Bridge, IBRS update)", ++ }, ++ { + .name = "IvyBridge", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -967,6 +1049,40 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge)", + }, + { ++ .name = "IvyBridge-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 58, ++ .stepping = 9, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_POPCNT | ++ CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | CPUID_EXT_SSE41 | ++ CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | CPUID_EXT_PCLMULQDQ | ++ CPUID_EXT_SSE3 | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_ERMS, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Xeon E3-12xx v2 (Ivy Bridge, IBRS)", ++ }, ++ { + .name = "Haswell", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1002,6 +1118,43 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Core Processor (Haswell)", + }, + { ++ .name = "Haswell-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 60, ++ .stepping = 4, ++ .features[FEAT_1_EDX] = ++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Haswell, IBRS)", ++ }, ++ { + .name = "Broadwell", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1038,6 +1191,44 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Core Processor (Broadwell)", + }, + { ++ .name = "Broadwell-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 61, ++ .stepping = 2, ++ .features[FEAT_1_EDX] = ++ CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP, ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Broadwell, IBRS)", ++ }, ++ { + .name = "Skylake-Client", + .level = 0xd, + .vendor = CPUID_VENDOR_INTEL, +@@ -1081,6 +1272,51 @@ static x86_def_t builtin_x86_defs[] = { + .model_id = "Intel Core Processor (Skylake)", + }, + { ++ .name = "Skylake-Client-IBRS", ++ .level = 0xd, ++ .vendor = CPUID_VENDOR_INTEL, ++ .family = 6, ++ .model = 94, ++ .stepping = 3, ++ .features[FEAT_1_EDX] = ++ CPUID_VME | CPUID_SSE2 | CPUID_SSE | CPUID_FXSR | CPUID_MMX | ++ CPUID_CLFLUSH | CPUID_PSE36 | CPUID_PAT | CPUID_CMOV | CPUID_MCA | ++ CPUID_PGE | CPUID_MTRR | CPUID_SEP | CPUID_APIC | CPUID_CX8 | ++ CPUID_MCE | CPUID_PAE | CPUID_MSR | CPUID_TSC | CPUID_PSE | ++ CPUID_DE | CPUID_FP87, ++ .features[FEAT_1_ECX] = ++ CPUID_EXT_AVX | CPUID_EXT_XSAVE | CPUID_EXT_AES | ++ CPUID_EXT_POPCNT | CPUID_EXT_X2APIC | CPUID_EXT_SSE42 | ++ CPUID_EXT_SSE41 | CPUID_EXT_CX16 | CPUID_EXT_SSSE3 | ++ CPUID_EXT_PCLMULQDQ | CPUID_EXT_SSE3 | ++ CPUID_EXT_TSC_DEADLINE_TIMER | CPUID_EXT_FMA | CPUID_EXT_MOVBE | ++ CPUID_EXT_PCID | CPUID_EXT_F16C | CPUID_EXT_RDRAND, ++ .features[FEAT_8000_0001_EDX] = ++ CPUID_EXT2_LM | CPUID_EXT2_RDTSCP | CPUID_EXT2_NX | ++ CPUID_EXT2_SYSCALL, ++ .features[FEAT_8000_0001_ECX] = ++ CPUID_EXT3_ABM | CPUID_EXT3_LAHF_LM | CPUID_EXT3_3DNOWPREFETCH, ++ .features[FEAT_7_0_EDX] = ++ CPUID_7_0_EDX_SPEC_CTRL, ++ .features[FEAT_7_0_EBX] = ++ CPUID_7_0_EBX_FSGSBASE | CPUID_7_0_EBX_BMI1 | ++ CPUID_7_0_EBX_HLE | CPUID_7_0_EBX_AVX2 | CPUID_7_0_EBX_SMEP | ++ CPUID_7_0_EBX_BMI2 | CPUID_7_0_EBX_ERMS | CPUID_7_0_EBX_INVPCID | ++ CPUID_7_0_EBX_RTM | CPUID_7_0_EBX_RDSEED | CPUID_7_0_EBX_ADX | ++ CPUID_7_0_EBX_SMAP | CPUID_7_0_EBX_MPX, ++ /* Missing: XSAVES (not supported by some Linux versions, ++ * including v4.1 to v4.12). ++ * KVM doesn't yet expose any XSAVES state save component, ++ * and the only one defined in Skylake (processor tracing) ++ * probably will block migration anyway. ++ */ ++ .features[FEAT_XSAVE] = ++ CPUID_XSAVE_XSAVEOPT | CPUID_XSAVE_XSAVEC | ++ CPUID_XSAVE_XGETBV1, ++ .xlevel = 0x80000008, ++ .model_id = "Intel Core Processor (Skylake, IBRS)", ++ }, ++ { + .name = "Opteron_G1", + .level = 5, + .vendor = CPUID_VENDOR_AMD, +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index b23242d..9353b48 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -587,6 +587,9 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ ++#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */ ++ ++#define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */ + + #define CPUID_XSAVE_XSAVEOPT (1U << 0) + #define CPUID_XSAVE_XSAVEC (1U << 1) +-- +1.8.3.1 + diff --git a/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch b/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch new file mode 100644 index 0000000..c1a19c2 --- /dev/null +++ b/SOURCES/kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch @@ -0,0 +1,79 @@ +From 0e04ead1cdde827f1c0a20f8b83c76386dbf33e2 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 13 Dec 2017 15:42:55 -0200 +Subject: [PATCH 1/3] target-i386: cpu: add new CPUID bits for indirect branch + predictor restrictions + +RH-Author: Eduardo Habkost +Message-id: <20171213174257.20475-2-ehabkost@redhat.com> +Patchwork-id: n/a +O-Subject: [CONFIDENTIAL][RHEL-7.4.z qemu-kvm PATCH v2 1/3] target-i386: cpu: + add new CPUID bits for indirect branch predictor restrictions +Bugzilla: CVE-2017-5715 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Miroslav Rezanina +RH-Acked-by: Wainer dos Santos Moschetta +--- + target-i386/cpu.c | 19 ++++++++++++++++++- + target-i386/cpu.h | 1 + + 2 files changed, 19 insertions(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index ae56995..400a7ab 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -172,6 +172,17 @@ static const char *cpuid_7_0_edx_feature_name[] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, ++ NULL, NULL, "spec-ctrl", "stibp", ++ NULL, "arch-facilities", NULL, NULL, ++}; ++ ++static const char *cpuid_80000008_ebx_feature_name[] = { ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ "ibpb", NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + }; +@@ -314,6 +325,12 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + .cpuid_reg = R_EDX, + .tcg_features = TCG_7_0_EDX_FEATURES, + }, ++ [FEAT_8000_0008_EBX] = { ++ .feat_names = cpuid_80000008_ebx_feature_name, ++ .cpuid_eax = 0x80000008, ++ .cpuid_needs_ecx = false, .cpuid_ecx = 0, ++ .cpuid_reg = R_EBX, ++ }, + [FEAT_XSAVE] = { + .feat_names = cpuid_xsave_feature_name, + .cpuid_eax = 0xd, +@@ -2371,7 +2388,7 @@ void cpu_x86_cpuid(CPUX86State *env, uint32_t index, uint32_t count, + *eax = 0x00000020; /* 32 bits physical */ + } + } +- *ebx = 0; ++ *ebx = env->features[FEAT_8000_0008_EBX]; + *ecx = 0; + *edx = 0; + if (cs->nr_cores * cs->nr_threads > 1) { +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index ac60309..5697dc6 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -405,6 +405,7 @@ typedef enum FeatureWord { + FEAT_7_0_EDX, /* CPUID[EAX=7,ECX=0].EDX */ + FEAT_8000_0001_EDX, /* CPUID[8000_0001].EDX */ + FEAT_8000_0001_ECX, /* CPUID[8000_0001].ECX */ ++ FEAT_8000_0008_EBX, /* CPUID[8000_0008].EBX */ + FEAT_C000_0001_EDX, /* CPUID[C000_0001].EDX */ + FEAT_KVM, /* CPUID[4000_0001].EAX (KVM_CPUID_FEATURES) */ + FEAT_SVM, /* CPUID[8000_000A].EDX */ +-- +1.8.3.1 + diff --git a/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch b/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch new file mode 100644 index 0000000..8b84636 --- /dev/null +++ b/SOURCES/kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch @@ -0,0 +1,61 @@ +From daa0c48addc50413b79612d9e7251a9cbf35af48 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 20 Nov 2017 16:21:44 +0100 +Subject: [PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions + +RH-Author: Alex Williamson +Message-id: <20171120162044.30263.60064.stgit@gimli.home> +Patchwork-id: 77755 +O-Subject: [RHEL-7.4.z qemu-kvm PATCH] vfio/pci: Only mmap >= TARGET_PAGE_SIZE regions +Bugzilla: 1515110 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Thomas Huth +RH-Acked-by: Auger Eric + +Upstream Status: RHEL-only (very small subset of db0da029a185) +Tested: Teradici USB assignment + +Upstream kernel commit 05f0c03fbac1 ('vfio-pci: Allow to mmap sub-page +MMIO BARs if the mmio page is exclusive') [RHEL-7.4 390f15a45024] allows +vfio-pci to expose the VFIO_REGION_INFO_FLAG_MMAP flag, indicating the +region can be mmap'd, for sub-page PCI BARs iff the BAR is page aligned +and the remainder of the page can be reserved to ensure that it's not +used for other purposes. Unfortunately QEMU versions prior to v2.6.0 +blindly accept the MMAP flag with no special handling of these sub-page +mmaps. This went unnoticed upstream, but was inadvertently fixed by +commit db0da029a185 ('vfio: Generalize region support') which ensures +that the region size is a multiple of page size. This returns us to +the previous behavior where sub-page regions are not mmap'd, even though +the kernel now allows it. This QEMU commit has since been picked up in +qemu-kvm with the backport of the above as a33e922436f7. qemu-kvm-rhev +has had this support since RHEL-7.3. Furthermore, upstream commit +95251725e335 ('vfio: Add support for mmapping sub-page MMIO BARs') +allows QEMU to fully make use of these sub-page mmaps. qemu-kvm-rhev +acquired this capability in the RHEL-7.4 rebase. + +Here we extract only the portion of db0da029a185 which excludes sub-page +regions from being mmap'd. + +Signed-off-by: Alex Williamson +Signed-off-by: Miroslav Rezanina +--- + hw/misc/vfio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/hw/misc/vfio.c b/hw/misc/vfio.c +index 4fdc09a..adfefec 100644 +--- a/hw/misc/vfio.c ++++ b/hw/misc/vfio.c +@@ -2576,7 +2576,8 @@ static int vfio_mmap_bar(VFIOBAR *bar, MemoryRegion *mem, MemoryRegion *submem, + { + int ret = 0; + +- if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP) { ++ if (VFIO_ALLOW_MMAP && size && bar->flags & VFIO_REGION_INFO_FLAG_MMAP && ++ !(size & ~TARGET_PAGE_MASK)) { + int prot = 0; + + if (bar->flags & VFIO_REGION_INFO_FLAG_READ) { +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index ec913ee..d7ccc69 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 141%{?dist}.4 +Release: 141%{?dist}.6 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3624,6 +3624,14 @@ Patch1783: kvm-vga-handle-cirrus-vbe-mode-wraparounds.patch Patch1784: kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.patch # For bz#1501120 - CVE-2017-14167 qemu-kvm: Qemu: i386: multiboot OOB access while loading kernel image [rhel-7.4.z] Patch1785: kvm-multiboot-validate-multiboot-header-address-values.patch +# For bz#1515110 - Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z] +Patch1786: kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch +# For CVE-2017-5715 +Patch1787: kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran.patch +# For CVE-2017-5715 +Patch1788: kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch +# For CVE-2017-5715 +Patch1789: kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran.patch BuildRequires: zlib-devel @@ -5587,6 +5595,10 @@ tar -xf %{SOURCE21} %patch1783 -p1 %patch1784 -p1 %patch1785 -p1 +%patch1786 -p1 +%patch1787 -p1 +%patch1788 -p1 +%patch1789 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6032,6 +6044,14 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Thu Dec 14 2017 Miroslav Rezanina - 1.5.3-141.el7_4.6 +- Fix CVE-2017-5715 + +* Wed Nov 29 2017 Miroslav Rezanina - 1.5.3-141.el7_4.5 +- kvm-vfio-pci-Only-mmap-TARGET_PAGE_SIZE-regions.patch [bz#1515110] +- Resolves: bz#1515110 + (Regression in QEMU handling for sub-page MMIO BARs for vfio-pci devices [rhel-7.4.z]) + * Fri Nov 10 2017 Miroslav Rezanina - 1.5.3-141.el7_4.4 - kvm-multiboot-validate-multiboot-header-address-values.patch [bz#1501120] - Resolves: bz#1501120