Accepting request 579209 from home:bfrogers:branches:Virtualization
Update to 2.11.1, plus a few other fixes. OBS-URL: https://build.opensuse.org/request/show/579209 OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=392
This commit is contained in:
Bruce Rogers
committed by
Git OBS Bridge
Git OBS Bridge
parent
49812da5a8
commit
596dc9ba39
82
qemu.changes
82
qemu.changes
@@ -1,3 +1,85 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 22 12:01:21 UTC 2018 - brogers@suse.com
|
||||
|
||||
- Update to v2.11.1, a stable, (mostly) bug-fix-only release
|
||||
In addition to bug fixes, of necessity fixes are needed to
|
||||
address the Spectre v2 vulnerability by passing along to the
|
||||
guest new hardware features introduced by host microcode updates.
|
||||
A January 2018 release of qemu initially addressed this issue
|
||||
by exposing the feature for all x86 vcpu types, which was the
|
||||
quick and dirty approach, but not the proper solution. We remove
|
||||
that initial patch and now rely on the upstream solution. This
|
||||
update instead defines spec_ctrl and ibpb cpu feature flags as
|
||||
well as new cpu models which are clones of existing models with
|
||||
either -IBRS or -IBPB added to the end of the model name. These
|
||||
new vcpu models explicitly include the new feature(s), whereas
|
||||
the feature flags can be added to the cpu parameter as with other
|
||||
features. In short, for continued Spectre v2 protection, ensure
|
||||
that either the appropriate cpu feature flag is added to the QEMU
|
||||
command-line, or one of the new cpu models is used. Although
|
||||
migration from older versions is supported, the new cpu features
|
||||
won't be properly exposed to the guest until it is restarted with
|
||||
the cpu features explicitly added. A reboot is insufficient.
|
||||
A warning patch is added which attempts to detect a migration
|
||||
from a qemu version which had the quick and dirty fix (it only
|
||||
detects certain cases, but hopefully is helpful.)
|
||||
s390x guest vulnerability to Spectre v2 is also addressed in this
|
||||
update by including support for bpb and ppa/stfle.81 features.
|
||||
(CVE-2017-5715 bsc#1068032)
|
||||
For additional information on Spectre v2 as it relates to QEMU,
|
||||
see: https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
|
||||
- Unfortunately, it was found that our current KVM isn't correctly
|
||||
indicating support for the spec-ctrl feature, so I've added a patch
|
||||
to still detect that support within QEMU. This is of course a
|
||||
temporary kludge until KVM gets fixed. (bsc#1082276)
|
||||
- The SEV support patches are updated to the v9 series.
|
||||
- Fix incompatibility with recent glibc (boo#1081154)
|
||||
- Add Supplements tags for the guest agent package in an attempt to
|
||||
auto-install for QEMU and Xen SUSE Linux guests (fate#323570)
|
||||
* Patches dropped (subsumed by stable update, or reworked in v9):
|
||||
0033-i386-kvm-MSR_IA32_SPEC_CTRL-and-MSR.patch
|
||||
0050-target-i386-add-memory-encryption-f.patch
|
||||
0054-accel-add-Secure-Encrypted-Virtuliz.patch
|
||||
0055-sev-add-command-to-initialize-the-m.patch
|
||||
0072-sev-Fix-build-for-non-x86-hosts.patch
|
||||
* Patches added:
|
||||
0033-memfd-fix-configure-test.patch
|
||||
0053-target-i386-add-Secure-Encrypted-Vi.patch
|
||||
0056-qmp-populate-SevInfo-fields-with-SE.patch
|
||||
0072-tests-qmp-test-blacklist-query-sev-.patch
|
||||
0073-sev-i386-add-migration-blocker.patch
|
||||
0074-cpu-i386-populate-CPUID-0x8000_001F.patch
|
||||
0075-migration-warn-about-inconsistent-s.patch
|
||||
0076-i386-Compensate-for-KVM-SPEC_CTRL-f.patch
|
||||
* Patches renamed (plus some minor code changes):
|
||||
0051-machine-add-memory-encryption-prope.patch
|
||||
-> 0050-machine-add-memory-encryption-prope.patch
|
||||
0052-kvm-update-kvm.h-to-include-memory-.patch
|
||||
-> 0051-kvm-update-kvm.h-to-include-memory-.patch
|
||||
0053-docs-add-AMD-Secure-Encrypted-Virtu.patch
|
||||
-> 0052-docs-add-AMD-Secure-Encrypted-Virtu.patch
|
||||
0056-sev-register-the-guest-memory-range.patch
|
||||
-> 0057-sev-i386-register-the-guest-memory-.patch
|
||||
0057-kvm-introduce-memory-encryption-API.patch
|
||||
-> 0058-kvm-introduce-memory-encryption-API.patch
|
||||
0058-qmp-add-query-sev-command.patch
|
||||
-> 0054-qmp-add-query-sev-command.patch
|
||||
0060-sev-add-command-to-create-launch-me.patch
|
||||
-> 0060-sev-i386-add-command-to-create-laun.patch
|
||||
0061-sev-add-command-to-encrypt-guest-me.patch
|
||||
-> 0061-sev-i386-add-command-to-encrypt-gue.patch
|
||||
0063-sev-add-support-to-LAUNCH_MEASURE-c.patch
|
||||
-> 0063-sev-i386-add-support-to-LAUNCH_MEAS.patch
|
||||
0064-sev-Finalize-the-SEV-guest-launch-f.patch
|
||||
-> 0064-sev-i386-finalize-the-SEV-guest-lau.patch
|
||||
0066-sev-add-debug-encrypt-and-decrypt-c.patch
|
||||
-> 0066-sev-i386-add-debug-encrypt-and-decr.patch
|
||||
0069-sev-add-support-to-query-PLATFORM_S.patch
|
||||
-> 0069-sev-i386-add-support-to-query-PLATF.patch
|
||||
0070-sev-add-support-to-KVM_SEV_GUEST_ST.patch
|
||||
-> 0070-sev-i386-add-support-to-KVM_SEV_GUE.patch
|
||||
- Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-2.11
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 8 18:29:30 UTC 2018 - brogers@suse.com
|
||||
|
||||
|
||||
Reference in New Issue
Block a user