diff --git a/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch b/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch new file mode 100644 index 0000000..2c3fd84 --- /dev/null +++ b/SOURCES/kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch @@ -0,0 +1,169 @@ +From 404335e8ed73046c079435fe73b921ec993614e4 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 23 May 2018 20:54:57 +0200 +Subject: [PATCH 1/2] i386: Define the Virt SSBD MSR and handling of it + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20180523205458.32764-2-ehabkost@redhat.com> +Patchwork-id: 80461 +O-Subject: [RHEL-7.5.z qemu-kvm PATCH 1/2] i386: Define the Virt SSBD MSR and handling of it (CVE-2018-3639) +Bugzilla: 1584363 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +From: Konrad Rzeszutek Wilk + +"Some AMD processors only support a non-architectural means of enabling +speculative store bypass disable (SSBD). To allow a simplified view of +this to a guest, an architectural definition has been created through a new +CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a +hypervisor can virtualize the existence of this definition and provide an +architectural method for using SSBD to a guest. + +Add the new CPUID feature, the new MSR and update the existing SSBD +support to use this MSR when present." (from x86/speculation: Add virtualized +speculative store bypass disable support in Linux). + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-4-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff) +Signed-off-by: Miroslav Rezanina + +Conflicts: + target-i386/kvm.c (MSR code) + target-i386/machine.c (trivial change from + VMStateDescription.needed to VMStateSubsection.needed) + +Signed-off-by: Eduardo Habkost +--- + target-i386/cpu.h | 2 ++ + target-i386/kvm.c | 17 +++++++++++++++-- + target-i386/machine.c | 21 +++++++++++++++++++++ + 3 files changed, 38 insertions(+), 2 deletions(-) + +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index da84443..68d0c0e 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -305,6 +305,7 @@ + #define MSR_IA32_APICBASE_BASE (0xfffff<<12) + #define MSR_TSC_ADJUST 0x0000003b + #define MSR_IA32_SPEC_CTRL 0x48 ++#define MSR_VIRT_SSBD 0xc001011f + #define MSR_IA32_TSCDEADLINE 0x6e0 + + #define MSR_P6_PERFCTR0 0xc1 +@@ -1044,6 +1045,7 @@ typedef struct CPUX86State { + uint32_t pkru; + + uint64_t spec_ctrl; ++ uint64_t virt_ssbd; + + TPRAccess tpr_access_type; + } CPUX86State; +diff --git a/target-i386/kvm.c b/target-i386/kvm.c +index 24d17ad..656e24b 100644 +--- a/target-i386/kvm.c ++++ b/target-i386/kvm.c +@@ -78,6 +78,7 @@ static bool has_msr_hv_tsc; + static bool has_msr_mtrr; + static bool has_msr_xss; + static bool has_msr_spec_ctrl; ++static bool has_msr_virt_ssbd; + + static bool has_msr_architectural_pmu; + static uint32_t num_architectural_pmu_counters; +@@ -805,6 +806,10 @@ static int kvm_get_supported_msrs(KVMState *s) + has_msr_spec_ctrl = true; + continue; + } ++ if (kvm_msr_list->indices[i] == MSR_VIRT_SSBD) { ++ has_msr_virt_ssbd = true; ++ continue; ++ } + } + } + +@@ -1195,6 +1200,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level) + if (has_msr_spec_ctrl) { + kvm_msr_entry_set(&msrs[n++], MSR_IA32_SPEC_CTRL, env->spec_ctrl); + } ++ if (has_msr_virt_ssbd) { ++ kvm_msr_entry_set(&msrs[n++], MSR_VIRT_SSBD, env->virt_ssbd); ++ } ++ + #ifdef TARGET_X86_64 + if (lm_capable_kernel) { + kvm_msr_entry_set(&msrs[n++], MSR_CSTAR, env->cstar); +@@ -1555,8 +1564,9 @@ static int kvm_get_msrs(X86CPU *cpu) + if (has_msr_spec_ctrl) { + msrs[n++].index = MSR_IA32_SPEC_CTRL; + } +- +- ++ if (has_msr_virt_ssbd) { ++ msrs[n++].index = MSR_VIRT_SSBD; ++ } + if (!env->tsc_valid) { + msrs[n++].index = MSR_IA32_TSC; + env->tsc_valid = !runstate_is_running(); +@@ -1800,6 +1810,9 @@ static int kvm_get_msrs(X86CPU *cpu) + case MSR_IA32_SPEC_CTRL: + env->spec_ctrl = msrs[i].data; + break; ++ case MSR_VIRT_SSBD: ++ env->virt_ssbd = msrs[i].data; ++ break; + } + } + +diff --git a/target-i386/machine.c b/target-i386/machine.c +index d883c86..507ab1a 100644 +--- a/target-i386/machine.c ++++ b/target-i386/machine.c +@@ -760,6 +760,24 @@ static const VMStateDescription vmstate_spec_ctrl = { + } + }; + ++static bool virt_ssbd_needed(void *opaque) ++{ ++ X86CPU *cpu = opaque; ++ CPUX86State *env = &cpu->env; ++ ++ return env->virt_ssbd != 0; ++} ++ ++static const VMStateDescription vmstate_msr_virt_ssbd = { ++ .name = "cpu/virt_ssbd", ++ .version_id = 1, ++ .minimum_version_id = 1, ++ .fields = (VMStateField[]){ ++ VMSTATE_UINT64(env.virt_ssbd, X86CPU), ++ VMSTATE_END_OF_LIST() ++ } ++}; ++ + const VMStateDescription vmstate_x86_cpu = { + .name = "cpu", + .version_id = 12, +@@ -917,6 +935,9 @@ const VMStateDescription vmstate_x86_cpu = { + }, { + .vmsd = &vmstate_spec_ctrl, + .needed = spec_ctrl_needed, ++ }, { ++ .vmsd = &vmstate_msr_virt_ssbd, ++ .needed = virt_ssbd_needed, + } , { + /* empty */ + } +-- +1.8.3.1 + diff --git a/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch b/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch new file mode 100644 index 0000000..4217be2 --- /dev/null +++ b/SOURCES/kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch @@ -0,0 +1,58 @@ +From 575e827677fb3c238250c44b5287ae327ddbfcde Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Wed, 23 May 2018 20:54:58 +0200 +Subject: [PATCH 2/2] i386: define the AMD 'virt-ssbd' CPUID feature bit + (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +RH-Author: Eduardo Habkost +Message-id: <20180523205458.32764-3-ehabkost@redhat.com> +Patchwork-id: 80462 +O-Subject: [RHEL-7.5.z qemu-kvm PATCH 2/2] i386: define the AMD 'virt-ssbd' CPUID feature bit (CVE-2018-3639) +Bugzilla: 1584363 +RH-Acked-by: Paolo Bonzini +RH-Acked-by: Igor Mammedov +RH-Acked-by: Miroslav Rezanina + +From: Konrad Rzeszutek Wilk + +AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable +via the 0x80000008_EBX[25] CPUID feature bit. + +This needs to be exposed to guest OS to allow them to protect +against CVE-2018-3639. + +Signed-off-by: Konrad Rzeszutek Wilk +Reviewed-by: Daniel P. Berrangé +Signed-off-by: Daniel P. Berrangé +Message-Id: <20180521215424.13520-3-berrange@redhat.com> +Signed-off-by: Eduardo Habkost +(cherry picked from commit 403503b162ffc33fb64cfefdf7b880acf41772cd) +Signed-off-by: Miroslav Rezanina + +Conflicts: + target/i386/cpu.c is target-i386/cpu.c + +Signed-off-by: Eduardo Habkost +--- + target-i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 539c202..02dcc4b 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -183,7 +183,7 @@ static const char *cpuid_80000008_ebx_feature_name[] = { + "ibpb", NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "virt-ssbd", NULL, NULL, + NULL, NULL, NULL, NULL, + }; + +-- +1.8.3.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 5ef35b6..1a3ecbb 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 156%{?dist}.2 +Release: 156%{?dist}.3 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2+ and LGPLv2+ and BSD @@ -3871,6 +3871,10 @@ Patch1906: kvm-vga-add-ram_addr_t-cast.patch Patch1907: kvm-vga-fix-region-calculation.patch # For bz#1574075 - EMBARGOED CVE-2018-3639 qemu-kvm: Kernel: omega-4 [rhel-7.5.z] Patch1908: kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch +# For bz#1584363 - CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z] +Patch1909: kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch +# For bz#1584363 - CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z] +Patch1910: kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch BuildRequires: zlib-devel @@ -5957,6 +5961,8 @@ tar -xf %{SOURCE21} %patch1906 -p1 %patch1907 -p1 %patch1908 -p1 +%patch1909 -p1 +%patch1910 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6402,6 +6408,12 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Fri Jun 08 2018 Miroslav Rezanina - 1.5.3-156.el7_5.3 +- kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch [bz#1584363] +- kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch [bz#1584363] +- Resolves: bz#1584363 + (CVE-2018-3639 qemu-kvm: hw: cpu: AMD: speculative store bypass [rhel-7.5.z]) + * Fri May 11 2018 Miroslav Rezanina - 1.5.3-156.el7_5.2 - kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch [bz#1574075] - Resolves: bz#1574075