libvirt/92673422-CVE-2018-3639.patch

commit 9267342206ce17f6933d57a3128cdc504d5945c9
Author: Daniel P. Berrangé <berrange@redhat.com>
Date:   Mon May 21 23:05:08 2018 +0100

    cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
    
    Some AMD processors only support a non-architectural means of
    enabling Speculative Store Bypass Disable. To allow simplified
    handling in virtual environments, hypervisors will expose an
    architectural definition through CPUID bit 0x80000008_EBX[25].
    This needs to be exposed to guest OS running on AMD x86 hosts to
    allow them to protect against CVE-2018-3639.
    
    Note that since this CPUID bit won't be present in the host CPUID
    results on physical hosts, it will not be enabled automatically
    in guests configured with "host-model" CPU unless using QEMU
    version >= 2.9.0. Thus for older versions of QEMU, this feature
    must be manually enabled using policy=force. Guests using the
    "host-passthrough" CPU mode do not need special handling.
    
    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
    Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

Index: libvirt-4.3.0/src/cpu/cpu_map.xml
===================================================================
--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml
+++ libvirt-4.3.0/src/cpu/cpu_map.xml
@@ -433,6 +433,9 @@
     <feature name='ibpb'>
       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
     </feature>
+    <feature name='virt-ssbd'>
+      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
+    </feature>
 
     <!-- models -->
     <model name='486'>
Accepting request 611362 from home:jfehlig:branches:Virtualization - cpu: add support for 'ssbd' and 'virt-ssbd' CPUID feature bits CVE-2018-3639 1dbca2ec-CVE-2018-3639.patch, 92673422-CVE-2018-3639.patch bsc#1092885 OBS-URL: https://build.opensuse.org/request/show/611362 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=689 2018-05-22 19:05:48 +02:00			`commit 9267342206ce17f6933d57a3128cdc504d5945c9`
			`Author: Daniel P. Berrangé <berrange@redhat.com>`
			`Date: Mon May 21 23:05:08 2018 +0100`

			`cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)`

			`Some AMD processors only support a non-architectural means of`
			`enabling Speculative Store Bypass Disable. To allow simplified`
			`handling in virtual environments, hypervisors will expose an`
			`architectural definition through CPUID bit 0x80000008_EBX[25].`
			`This needs to be exposed to guest OS running on AMD x86 hosts to`
			`allow them to protect against CVE-2018-3639.`

			`Note that since this CPUID bit won't be present in the host CPUID`
			`results on physical hosts, it will not be enabled automatically`
			`in guests configured with "host-model" CPU unless using QEMU`
			`version >= 2.9.0. Thus for older versions of QEMU, this feature`
			`must be manually enabled using policy=force. Guests using the`
			`"host-passthrough" CPU mode do not need special handling.`

			`Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>`
			`Reviewed-by: Jiri Denemark <jdenemar@redhat.com>`

			`Index: libvirt-4.3.0/src/cpu/cpu_map.xml`
			`===================================================================`
			`--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml`
			`+++ libvirt-4.3.0/src/cpu/cpu_map.xml`
			`@@ -433,6 +433,9 @@`
			`<feature name='ibpb'>`
			`<cpuid eax_in='0x80000008' ebx='0x00001000'/>`
			`</feature>`
			`+ <feature name='virt-ssbd'>`
			`+ <cpuid eax_in='0x80000008' ebx='0x02000000'/>`
			`+ </feature>`

			`<!-- models -->`
			`<model name='486'>`