diff --git a/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch b/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch new file mode 100644 index 0000000..75a1165 --- /dev/null +++ b/SOURCES/kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch @@ -0,0 +1,114 @@ +From 8cafea931977e494797584610664279ea21ef427 Mon Sep 17 00:00:00 2001 +From: Eduardo Habkost +Date: Fri, 21 Dec 2018 00:31:11 +0100 +Subject: [PATCH] i386: Deprecate arch-facilities and make it block live + migration + +RH-Author: Eduardo Habkost +Message-id: <20181221003111.32374-1-ehabkost@redhat.com> +Patchwork-id: 83733 +O-Subject: [RHEL-7.7 qemu-kvm PATCH] i386: Deprecate arch-facilities and make it block live migration +Bugzilla: 1664792 +RH-Acked-by: Bandan Das +RH-Acked-by: Dr. David Alan Gilbert +RH-Acked-by: Jiri Denemark + +The arch-facilities feature flag is being deprecated because it +was never supported upstream. The upstream property is +called "arch-capabilities", but it was not backported to +RHEL7/qemu-kvm. + +Note that arch-capabilities is not required for mitigation of +CVE-2017-5715. + +In addition to being deprecated, arch-facilities will now block +live migration because the value of MSR_IA32_ARCH_CAPABILITIES is +host-dependent and not migration-safe. + +Note that the "arch-facilities" option didn't work in RHEL-7.5. +It only started working (by accident) on RHEL-7.6, after the KVM +kernel module code was updated to report the feature flag on +GET_SUPPORTED_CPUID. + +Signed-off-by: Eduardo Habkost +Signed-off-by: Miroslav Rezanina +--- + target-i386/cpu.c | 35 +++++++++++++++++++++++++++++++++++ + target-i386/cpu.h | 1 + + 2 files changed, 36 insertions(+) + +diff --git a/target-i386/cpu.c b/target-i386/cpu.c +index 4b3a238e8d..a36483eca9 100644 +--- a/target-i386/cpu.c ++++ b/target-i386/cpu.c +@@ -34,6 +34,7 @@ + #include "qapi-visit.h" + #include "qapi/visitor.h" + #include "sysemu/arch_init.h" ++#include "migration/migration.h" + + #include "hw/hw.h" + #if defined(CONFIG_KVM) +@@ -1742,6 +1743,14 @@ static void kvm_cpu_fill_host(x86_def_t *x86_cpu_def) + wi->cpuid_reg); + } + ++ /* ++ * Features that won't be enabled automatically by "-cpu host" even if ++ * reported by GET_SUPPORTED_CPUID: ++ */ ++ ++ /* arch-facilities: deprecated (see comment on x86_cpu_realizefn()) */ ++ x86_cpu_def->features[FEAT_7_0_EDX] &= ~CPUID_7_0_EDX_ARCH_CAPABILITIES; ++ + #endif /* CONFIG_KVM */ + } + +@@ -3089,6 +3098,32 @@ static void x86_cpu_realizefn(DeviceState *dev, Error **errp) + #endif + } + ++ /* ++ * RHEL-only: ++ * ++ * The arch-facilities feature flag is deprecated because it was never ++ * supported upstream. The upstream property is "arch-capabilities", ++ * but it was not backported to this QEMU version. Note that ++ * arch-capabilities is not required for mitigation of CVE-2017-5715. ++ * ++ * In addition to being deprecated, arch-facilities blocks live migration ++ * because the value of MSR_IA32_ARCH_CAPABILITIES is host-dependent and ++ * not migration-safe. ++ */ ++ if (cpu->env.features[FEAT_7_0_EDX] & CPUID_7_0_EDX_ARCH_CAPABILITIES) { ++ static bool warned = false; ++ static Error *arch_facilities_blocker; ++ if (!warned) { ++ error_setg(&arch_facilities_blocker, ++ "The arch-facilities CPU feature is deprecated and " ++ "does not support live migration"); ++ migrate_add_blocker(arch_facilities_blocker); ++ error_report("WARNING: the arch-facilities CPU feature is " ++ "deprecated and does not support live migration"); ++ warned = true; ++ } ++ } ++ + #ifndef CONFIG_USER_ONLY + qemu_register_reset(x86_cpu_machine_reset_cb, cpu); + +diff --git a/target-i386/cpu.h b/target-i386/cpu.h +index debb0e5bf4..73437f16c5 100644 +--- a/target-i386/cpu.h ++++ b/target-i386/cpu.h +@@ -597,6 +597,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS]; + #define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */ + #define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */ + #define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Indirect Branch - Restrict Speculation */ ++#define CPUID_7_0_EDX_ARCH_CAPABILITIES (1U << 29) /*Arch Capabilities*/ + #define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */ + + #define CPUID_8000_0008_EBX_IBPB (1U << 12) /* Indirect Branch Prediction Barrier */ +-- +2.19.1 + diff --git a/SPECS/qemu-kvm.spec b/SPECS/qemu-kvm.spec index 007479a..652e4b1 100644 --- a/SPECS/qemu-kvm.spec +++ b/SPECS/qemu-kvm.spec @@ -76,7 +76,7 @@ Obsoletes: %1 < %{obsoletes_version} \ Summary: QEMU is a machine emulator and virtualizer Name: %{pkgname}%{?pkgsuffix} Version: 1.5.3 -Release: 160%{?dist} +Release: 160%{?dist}.1 # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped Epoch: 10 License: GPLv2 and GPLv2+ and CC-BY @@ -3939,6 +3939,8 @@ Patch1940: kvm-ide-support-reporting-of-rotation-rate.patch Patch1941: kvm-ide-avoid-referencing-NULL-dev-in-rotational-rate-se.patch # For bz#1586253 - CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-7.6] Patch1942: kvm-slirp-Correct-size-check-in-m_inc.patch +# For bz#1664792 - mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm] [rhel-7.6.z] +Patch1943: kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch BuildRequires: zlib-devel @@ -6059,6 +6061,7 @@ tar -xf %{SOURCE21} %patch1940 -p1 %patch1941 -p1 %patch1942 -p1 +%patch1943 -p1 %build buildarch="%{kvm_target}-softmmu" @@ -6504,6 +6507,11 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %{_mandir}/man8/qemu-nbd.8* %changelog +* Mon Jan 14 2019 Miroslav Rezanina - 1.5.3-160.el7_6.1 +- kvm-i386-Deprecate-arch-facilities-and-make-it-block-liv.patch [bz#1664792] +- Resolves: bz#1664792 + (mode="host-model" VMs include broken "arch-facilities" flag name [qemu-kvm] [rhel-7.6.z]) + * Mon Aug 20 2018 Miroslav Rezanina - 1.5.3-160.el7 - kvm-scsi-disk-support-reporting-of-rotation-rate.patch [bz#1583807] - kvm-ide-support-reporting-of-rotation-rate.patch [bz#1583807]