From d8ce37f73ec77e5365cfa132ac78b470c1410222 Mon Sep 17 00:00:00 2001
Message-Id: <d8ce37f73ec77e5365cfa132ac78b470c1410222@dist-git>
From: Pavel Hrdina <phrdina@redhat.com>
Date: Tue, 14 May 2019 19:59:49 +0200
Subject: [PATCH] domcapabilities: detect MDS new vulnerability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

There is a new security feature 'md-clear' that mitigates recent CPU
Microarchitectural Store Buffer Data vulnerability.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit c11d6ba4d7024eaac83b6e2d6ae88172f4c01e98)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Acked-by: Daniel P. Berrangé <berrange@redhat.com>
---
 man/virt-install.pod        | 13 +++++++------
 virtinst/domcapabilities.py |  3 ++-
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/man/virt-install.pod b/man/virt-install.pod
index d90c2b8e..3bcb32f2 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -219,12 +219,13 @@ and 'disable=feature' respectively.
 
 If exact CPU model is specified virt-install will automatically copy CPU
 features available on the host to mitigate recent CPU speculative execution
-side channel security vulnerabilities. This however will have some impact
-on performance and will break migration to hosts without security patches.
-In order to control this behavior there is a B<secure> parameter. Possible
-values are I<on> and I<off>, with I<on> as the default. It is highly
-recommended to leave this enabled and ensure all virtualization hosts have
-fully up to date microcode, kernel & virtualization software installed.
+side channel and Microarchitectural Store Buffer Data security vulnerabilities.
+This however will have some impact on performance and will break migration
+to hosts without security patches. In order to control this behavior there
+is a B<secure> parameter. Possible values are I<on> and I<off>, with I<on>
+as the default. It is highly recommended to leave this enabled and ensure all
+virtualization hosts have fully up to date microcode, kernel & virtualization
+software installed.
 
 Some examples:
 
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index ba774532..5695453f 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -245,7 +245,8 @@ class DomainCapabilities(XMLBuilder):
                 'spec-ctrl',
                 'ssbd',
                 'ibpb',
-                'virt-ssbd']
+                'virt-ssbd',
+                'md-clear']
 
         if self._features:
             return self._features
-- 
2.21.0