Accepting request 611362 from home:jfehlig:branches:Virtualization

- cpu: add support for 'ssbd' and 'virt-ssbd' CPUID feature bits CVE-2018-3639 1dbca2ec-CVE-2018-3639.patch, 92673422-CVE-2018-3639.patch bsc#1092885 OBS-URL: https://build.opensuse.org/request/show/611362 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=689
2018-05-22 17:05:48 +00:00 · 2018-05-22 17:05:48 +00:00 · 20551e5e18
commit 20551e5e18
parent e2e9d8fccc
5 changed files with 77 additions and 1 deletions
--- a/1dbca2ec-CVE-2018-3639.patch
+++ b/1dbca2ec-CVE-2018-3639.patch
@ -0,0 +1,27 @@
+commit 1dbca2eccad58d91a5fd33962854f1a653638182
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Mon May 21 23:05:07 2018 +0100
+
+    cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+    
+    New microcode introduces the "Speculative Store Bypass Disable"
+    CPUID feature bit. This needs to be exposed to guest OS to allow
+    them to protect against CVE-2018-3639.
+    
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+    Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Index: libvirt-4.3.0/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml
+++ libvirt-4.3.0/src/cpu/cpu_map.xml
+@@ -298,6 +298,9 @@
+     <feature name='spec-ctrl'>
+       <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+     </feature>
+    <feature name='ssbd'>
+      <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
+    </feature>
+ 
+     <!-- Processor Extended State Enumeration sub leaf 1 -->
+     <feature name='xsaveopt'>
--- a/92673422-CVE-2018-3639.patch
+++ b/92673422-CVE-2018-3639.patch
@ -0,0 +1,37 @@
+commit 9267342206ce17f6933d57a3128cdc504d5945c9
+Author: Daniel P. Berrangé <berrange@redhat.com>
+Date:   Mon May 21 23:05:08 2018 +0100
+
+    cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
+    
+    Some AMD processors only support a non-architectural means of
+    enabling Speculative Store Bypass Disable. To allow simplified
+    handling in virtual environments, hypervisors will expose an
+    architectural definition through CPUID bit 0x80000008_EBX[25].
+    This needs to be exposed to guest OS running on AMD x86 hosts to
+    allow them to protect against CVE-2018-3639.
+    
+    Note that since this CPUID bit won't be present in the host CPUID
+    results on physical hosts, it will not be enabled automatically
+    in guests configured with "host-model" CPU unless using QEMU
+    version >= 2.9.0. Thus for older versions of QEMU, this feature
+    must be manually enabled using policy=force. Guests using the
+    "host-passthrough" CPU mode do not need special handling.
+    
+    Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+    Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+
+Index: libvirt-4.3.0/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml
+++ libvirt-4.3.0/src/cpu/cpu_map.xml
+@@ -433,6 +433,9 @@
+     <feature name='ibpb'>
+       <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+     </feature>
+    <feature name='virt-ssbd'>
+      <cpuid eax_in='0x80000008' ebx='0x02000000'/>
+    </feature>
+ 
+     <!-- models -->
+     <model name='486'>
--- a/libvirt-power8-models.patch
+++ b/libvirt-power8-models.patch
@ -6,7 +6,7 @@ Index: libvirt-4.3.0/src/cpu/cpu_map.xml
 ===================================================================
 --- libvirt-4.3.0.orig/src/cpu/cpu_map.xml
 +++ libvirt-4.3.0/src/cpu/cpu_map.xml
-@@ -2349,6 +2349,8 @@
+@@ -2355,6 +2355,8 @@
       <pvr value='0x004b0000' mask='0xffff0000'/>
       <pvr value='0x004c0000' mask='0xffff0000'/>
       <pvr value='0x004d0000' mask='0xffff0000'/>
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Tue May 22 14:44:51 UTC 2018 - jfehlig@suse.com
+
+- cpu: add support for 'ssbd' and 'virt-ssbd' CPUID feature bits
+  CVE-2018-3639
+  1dbca2ec-CVE-2018-3639.patch, 92673422-CVE-2018-3639.patch
+  bsc#1092885
+
 -------------------------------------------------------------------
 Mon May  7 17:06:10 UTC 2018 - jfehlig@suse.com

--- a/libvirt.spec
+++ b/libvirt.spec
@ -323,6 +323,8 @@ Source6:        libvirtd-relocation-server.xml
 Source99:       baselibs.conf
 Source100:      %{name}-rpmlintrc
 # Upstream patches
+Patch0:         1dbca2ec-CVE-2018-3639.patch
+Patch1:         92673422-CVE-2018-3639.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -907,6 +909,8 @@ libvirt plugin for NSS for translating domain names into IP addresses.

 %prep
 %setup -q
+%patch0 -p1
+%patch1 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1