Accepting request 749743 from home:bfrogers:branches:Virtualization

- Expose pschange-mc-no "feature", indicating CPU does not have
  the page size change machine check vulnerability (CVE-2018-12207
  bsc#1155812)
  target-i386-add-PSCHANGE_NO-bit-for-the-.patch
- Expose taa-no "feature", indicating CPU does not have the
  TSX Async Abort vulnerability. (CVE-2019-11135 bsc#1152506)
  target-i386-Export-TAA_NO-bit-to-guests.patch
Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.1

OBS-URL: https://build.opensuse.org/request/show/749743
OBS-URL: https://build.opensuse.org/package/show/Virtualization/qemu?expand=0&rev=512
This commit is contained in:
Bruce Rogers 2019-11-19 20:31:43 +00:00 committed by Git OBS Bridge
parent 907915b13a
commit d67e9c0b68
7 changed files with 141 additions and 57 deletions

View File

@ -14,6 +14,11 @@ GIT_UPSTREAM_COMMIT_ISH=v4.1.1
# This is used to choose the version number when LATEST processing is active # This is used to choose the version number when LATEST processing is active
NEXT_RELEASE_IS_MAJOR=0 NEXT_RELEASE_IS_MAJOR=0
# Unfortunately, SeaBIOS doesn't always follow an "always increasing" version
# model, so there may be times we should overide the automated version setting.
# We can do so by specifing the value here:
# SEABIOS_VERSION=1.12.1+
# The shared openSUSE specific git repo, on which $GIT_LOCAL_TREE is based # The shared openSUSE specific git repo, on which $GIT_LOCAL_TREE is based
GIT_TREE=git://github.com/openSUSE/qemu.git GIT_TREE=git://github.com/openSUSE/qemu.git

View File

@ -1,3 +1,15 @@
-------------------------------------------------------------------
Tue Nov 19 19:13:41 UTC 2019 - Bruce Rogers <brogers@suse.com>
- Expose pschange-mc-no "feature", indicating CPU does not have
the page size change machine check vulnerability (CVE-2018-12207
bsc#1155812)
target-i386-add-PSCHANGE_NO-bit-for-the-.patch
- Expose taa-no "feature", indicating CPU does not have the
TSX Async Abort vulnerability. (CVE-2019-11135 bsc#1152506)
target-i386-Export-TAA_NO-bit-to-guests.patch
Patch queue updated from git://github.com/openSUSE/qemu.git opensuse-4.1
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Nov 15 15:45:45 UTC 2019 - Bruce Rogers <brogers@suse.com> Fri Nov 15 15:45:45 UTC 2019 - Bruce Rogers <brogers@suse.com>

View File

@ -87,14 +87,15 @@
%define summary_string Machine emulator and virtualizer %define summary_string Machine emulator and virtualizer
%endif %endif
%define qemuver 4.1.1
%define srcver 4.1.1
%define sbver 1.12.1
%define srcname qemu %define srcname qemu
Name: qemu%{name_suffix} Name: qemu%{name_suffix}
URL: https://www.qemu.org/ URL: https://www.qemu.org/
Summary: %{summary_string} Summary: %{summary_string}
License: BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT License: BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: System/Emulators/PC Group: System/Emulators/PC
%define qemuver 4.1.1
%define srcver 4.1.1
Version: %qemuver Version: %qemuver
Release: 0 Release: 0
Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
@ -122,46 +123,48 @@ Source303: README.PACKAGING
# This patch queue is auto-generated - see README.PACKAGING for process # This patch queue is auto-generated - see README.PACKAGING for process
# Patches applied in base project: # Patches applied in base project:
Patch00000: XXX-dont-dump-core-on-sigabort.patch Patch00000: target-i386-add-PSCHANGE_NO-bit-for-the-.patch
Patch00001: qemu-binfmt-conf-Modify-default-path.patch Patch00001: target-i386-Export-TAA_NO-bit-to-guests.patch
Patch00002: qemu-cvs-gettimeofday.patch Patch00002: XXX-dont-dump-core-on-sigabort.patch
Patch00003: qemu-cvs-ioctl_debug.patch Patch00003: qemu-binfmt-conf-Modify-default-path.patch
Patch00004: qemu-cvs-ioctl_nodirection.patch Patch00004: qemu-cvs-gettimeofday.patch
Patch00005: linux-user-add-binfmt-wrapper-for-argv-0.patch Patch00005: qemu-cvs-ioctl_debug.patch
Patch00006: PPC-KVM-Disable-mmu-notifier-check.patch Patch00006: qemu-cvs-ioctl_nodirection.patch
Patch00007: linux-user-binfmt-support-host-binaries.patch Patch00007: linux-user-add-binfmt-wrapper-for-argv-0.patch
Patch00008: linux-user-Fake-proc-cpuinfo.patch Patch00008: PPC-KVM-Disable-mmu-notifier-check.patch
Patch00009: linux-user-use-target_ulong.patch Patch00009: linux-user-binfmt-support-host-binaries.patch
Patch00010: Make-char-muxer-more-robust-wrt-small-FI.patch Patch00010: linux-user-Fake-proc-cpuinfo.patch
Patch00011: linux-user-lseek-explicitly-cast-non-set.patch Patch00011: linux-user-use-target_ulong.patch
Patch00012: AIO-Reduce-number-of-threads-for-32bit-h.patch Patch00012: Make-char-muxer-more-robust-wrt-small-FI.patch
Patch00013: xen_disk-Add-suse-specific-flush-disable.patch Patch00013: linux-user-lseek-explicitly-cast-non-set.patch
Patch00014: qemu-bridge-helper-reduce-security-profi.patch Patch00014: AIO-Reduce-number-of-threads-for-32bit-h.patch
Patch00015: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch Patch00015: xen_disk-Add-suse-specific-flush-disable.patch
Patch00016: linux-user-properly-test-for-infinite-ti.patch Patch00016: qemu-bridge-helper-reduce-security-profi.patch
Patch00017: roms-Makefile-pass-a-packaging-timestamp.patch Patch00017: qemu-binfmt-conf-use-qemu-ARCH-binfmt.patch
Patch00018: Raise-soft-address-space-limit-to-hard-l.patch Patch00018: linux-user-properly-test-for-infinite-ti.patch
Patch00019: increase-x86_64-physical-bits-to-42.patch Patch00019: roms-Makefile-pass-a-packaging-timestamp.patch
Patch00020: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch Patch00020: Raise-soft-address-space-limit-to-hard-l.patch
Patch00021: i8254-Fix-migration-from-SLE11-SP2.patch Patch00021: increase-x86_64-physical-bits-to-42.patch
Patch00022: acpi_piix4-Fix-migration-from-SLE11-SP2.patch Patch00022: vga-Raise-VRAM-to-16-MiB-for-pc-0.15-and.patch
Patch00023: Switch-order-of-libraries-for-mpath-supp.patch Patch00023: i8254-Fix-migration-from-SLE11-SP2.patch
Patch00024: Make-installed-scripts-explicitly-python.patch Patch00024: acpi_piix4-Fix-migration-from-SLE11-SP2.patch
Patch00025: hw-smbios-handle-both-file-formats-regar.patch Patch00025: Switch-order-of-libraries-for-mpath-supp.patch
Patch00026: xen-add-block-resize-support-for-xen-dis.patch Patch00026: Make-installed-scripts-explicitly-python.patch
Patch00027: tests-qemu-iotests-Triple-timeout-of-i-o.patch Patch00027: hw-smbios-handle-both-file-formats-regar.patch
Patch00028: tests-Fix-block-tests-to-be-compatible-w.patch Patch00028: xen-add-block-resize-support-for-xen-dis.patch
Patch00029: xen-ignore-live-parameter-from-xen-save-.patch Patch00029: tests-qemu-iotests-Triple-timeout-of-i-o.patch
Patch00030: Conditionalize-ui-bitmap-installation-be.patch Patch00030: tests-Fix-block-tests-to-be-compatible-w.patch
Patch00031: tests-change-error-message-in-test-162.patch Patch00031: xen-ignore-live-parameter-from-xen-save-.patch
Patch00032: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch Patch00032: Conditionalize-ui-bitmap-installation-be.patch
Patch00033: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch Patch00033: tests-change-error-message-in-test-162.patch
Patch00034: hw-intc-exynos4210_gic-provide-more-room.patch Patch00034: hw-usb-hcd-xhci-Fix-GCC-9-build-warning.patch
Patch00035: configure-only-populate-roms-if-softmmu.patch Patch00035: hw-usb-dev-mtp-Fix-GCC-9-build-warning.patch
Patch00036: pc-bios-s390-ccw-net-avoid-warning-about.patch Patch00036: hw-intc-exynos4210_gic-provide-more-room.patch
Patch00037: roms-change-cross-compiler-naming-to-be-.patch Patch00037: configure-only-populate-roms-if-softmmu.patch
Patch00038: tests-Disable-some-block-tests-for-now.patch Patch00038: pc-bios-s390-ccw-net-avoid-warning-about.patch
Patch00039: test-add-mapping-from-arch-of-i686-to-qe.patch Patch00039: roms-change-cross-compiler-naming-to-be-.patch
Patch00040: tests-Disable-some-block-tests-for-now.patch
Patch00041: test-add-mapping-from-arch-of-i686-to-qe.patch
# Patches applied in roms/seabios/: # Patches applied in roms/seabios/:
Patch01000: seabios-use-python2-explicitly-as-needed.patch Patch01000: seabios-use-python2-explicitly-as-needed.patch
Patch01001: seabios-switch-to-python3-as-needed.patch Patch01001: seabios-switch-to-python3-as-needed.patch
@ -373,7 +376,7 @@ BuildRequires: qemu-ksm = %{qemuver}
BuildRequires: qemu-lang = %{qemuver} BuildRequires: qemu-lang = %{qemuver}
BuildRequires: qemu-ppc = %{qemuver} BuildRequires: qemu-ppc = %{qemuver}
BuildRequires: qemu-s390 = %{qemuver} BuildRequires: qemu-s390 = %{qemuver}
BuildRequires: qemu-seabios = 1.12.1 BuildRequires: qemu-seabios = %{sbver}
BuildRequires: qemu-sgabios = 8 BuildRequires: qemu-sgabios = 8
BuildRequires: qemu-tools = %{qemuver} BuildRequires: qemu-tools = %{qemuver}
BuildRequires: qemu-ui-curses = %{qemuver} BuildRequires: qemu-ui-curses = %{qemuver}
@ -381,7 +384,7 @@ BuildRequires: qemu-ui-gtk = %{qemuver}
%if 0%{?is_opensuse} %if 0%{?is_opensuse}
BuildRequires: qemu-ui-sdl = %{qemuver} BuildRequires: qemu-ui-sdl = %{qemuver}
%endif %endif
BuildRequires: qemu-vgabios = 1.12.1 BuildRequires: qemu-vgabios = %{sbver}
BuildRequires: qemu-x86 = %{qemuver} BuildRequires: qemu-x86 = %{qemuver}
%endif %endif
Requires(pre): shadow Requires(pre): shadow
@ -769,7 +772,7 @@ to provide information and control at the guest OS level.
%package seabios %package seabios
Summary: x86 Legacy BIOS for QEMU Summary: x86 Legacy BIOS for QEMU
Group: System/Emulators/PC Group: System/Emulators/PC
Version: 1.12.1 Version: %{sbver}
Release: 0 Release: 0
BuildArch: noarch BuildArch: noarch
Conflicts: %name < 1.6.0 Conflicts: %name < 1.6.0
@ -781,7 +784,7 @@ is the default and legacy BIOS for QEMU.
%package vgabios %package vgabios
Summary: VGA BIOSes for QEMU Summary: VGA BIOSes for QEMU
Group: System/Emulators/PC Group: System/Emulators/PC
Version: 1.12.1 Version: %{sbver}
Release: 0 Release: 0
BuildArch: noarch BuildArch: noarch
Conflicts: %name < 1.6.0 Conflicts: %name < 1.6.0
@ -891,6 +894,8 @@ This package provides a service file for starting and stopping KSM.
%patch00037 -p1 %patch00037 -p1
%patch00038 -p1 %patch00038 -p1
%patch00039 -p1 %patch00039 -p1
%patch00040 -p1
%patch00041 -p1
%patch01000 -p1 %patch01000 -p1
%patch01001 -p1 %patch01001 -p1
%patch01002 -p1 %patch01002 -p1

View File

@ -87,13 +87,14 @@
%define summary_string Machine emulator and virtualizer %define summary_string Machine emulator and virtualizer
%endif %endif
INSERT_VERSIONING
%define srcname qemu %define srcname qemu
Name: qemu%{name_suffix} Name: qemu%{name_suffix}
URL: https://www.qemu.org/ URL: https://www.qemu.org/
Summary: %{summary_string} Summary: %{summary_string}
License: BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT License: BSD-2-Clause AND BSD-3-Clause AND GPL-2.0-only AND GPL-2.0-or-later AND LGPL-2.1-or-later AND MIT
Group: System/Emulators/PC Group: System/Emulators/PC
QEMU_VERSION Version: %qemuver
Release: 0 Release: 0
Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz Source: https://wiki.qemu.org/download/%{srcname}-%{srcver}.tar.xz
Source100: %{srcname}.keyring Source100: %{srcname}.keyring
@ -301,7 +302,7 @@ BuildRequires: qemu-ksm = %{qemuver}
BuildRequires: qemu-lang = %{qemuver} BuildRequires: qemu-lang = %{qemuver}
BuildRequires: qemu-ppc = %{qemuver} BuildRequires: qemu-ppc = %{qemuver}
BuildRequires: qemu-s390 = %{qemuver} BuildRequires: qemu-s390 = %{qemuver}
BuildRequires: qemu-seabios = 1.12.1 BuildRequires: qemu-seabios = %{sbver}
BuildRequires: qemu-sgabios = 8 BuildRequires: qemu-sgabios = 8
BuildRequires: qemu-tools = %{qemuver} BuildRequires: qemu-tools = %{qemuver}
BuildRequires: qemu-ui-curses = %{qemuver} BuildRequires: qemu-ui-curses = %{qemuver}
@ -309,7 +310,7 @@ BuildRequires: qemu-ui-gtk = %{qemuver}
%if 0%{?is_opensuse} %if 0%{?is_opensuse}
BuildRequires: qemu-ui-sdl = %{qemuver} BuildRequires: qemu-ui-sdl = %{qemuver}
%endif %endif
BuildRequires: qemu-vgabios = 1.12.1 BuildRequires: qemu-vgabios = %{sbver}
BuildRequires: qemu-x86 = %{qemuver} BuildRequires: qemu-x86 = %{qemuver}
%endif %endif
Requires(pre): shadow Requires(pre): shadow
@ -697,7 +698,7 @@ to provide information and control at the guest OS level.
%package seabios %package seabios
Summary: x86 Legacy BIOS for QEMU Summary: x86 Legacy BIOS for QEMU
Group: System/Emulators/PC Group: System/Emulators/PC
SEABIOS_VERSION Version: %{sbver}
Release: 0 Release: 0
BuildArch: noarch BuildArch: noarch
Conflicts: %name < 1.6.0 Conflicts: %name < 1.6.0
@ -709,7 +710,7 @@ is the default and legacy BIOS for QEMU.
%package vgabios %package vgabios
Summary: VGA BIOSes for QEMU Summary: VGA BIOSes for QEMU
Group: System/Emulators/PC Group: System/Emulators/PC
SEABIOS_VERSION Version: %{sbver}
Release: 0 Release: 0
BuildArch: noarch BuildArch: noarch
Conflicts: %name < 1.6.0 Conflicts: %name < 1.6.0

View File

@ -0,0 +1,34 @@
From: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Date: Mon, 18 Nov 2019 23:23:27 -0800
Subject: target/i386: Export TAA_NO bit to guests
Git-commit: 7fac38635e1cc5ebae34eb6530da1009bd5808e4
Reference: bsc#1152506 CVE-2019-11135
TSX Async Abort (TAA) is a side channel attack on internal buffers in
some Intel processors similar to Microachitectural Data Sampling (MDS).
Some future Intel processors will use the ARCH_CAP_TAA_NO bit in the
IA32_ARCH_CAPABILITIES MSR to report that they are not vulnerable to
TAA. Make this bit available to guests.
Signed-off-by: Pawan Gupta <pawan.kumar.gupta@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 5191367f89ee4d1131c4309633de..530942baed87c5ff76beaf36df14 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1189,7 +1189,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.feat_names = {
"rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
"ssb-no", "mds-no", "pschange-mc-no", NULL,
- NULL, NULL, NULL, NULL,
+ "taa-no", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,

View File

@ -0,0 +1,29 @@
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Wed, 13 Nov 2019 15:54:35 +0100
Subject: target/i386: add PSCHANGE_NO bit for the ARCH_CAPABILITIES MSR
Git-commit: 7f7a585d5bd3c7f1275d28c77d9d67513c1de36c
Reference: bsc#1155812 CVE-2018-12207
This is required to disable ITLB multihit mitigations in nested
hypervisors.
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Bruce Rogers <brogers@suse.com>
---
target/i386/cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 19751e37a71fee27944526fe507c..5191367f89ee4d1131c4309633de 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1188,7 +1188,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
.type = MSR_FEATURE_WORD,
.feat_names = {
"rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry",
- "ssb-no", "mds-no", NULL, NULL,
+ "ssb-no", "mds-no", "pschange-mc-no", NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,

View File

@ -462,8 +462,8 @@ rm -rf $BUNDLE_DIR
echo "QEMU source version: $SOURCE_VERSION" echo "QEMU source version: $SOURCE_VERSION"
echo "QEMU version extra: $VERSION_EXTRA" echo "QEMU version extra: $VERSION_EXTRA"
SEABIOS_VERSION=$(tar JxfO qemu-$SOURCE_VERSION$VERSION_EXTRA.tar.xz \ SEABIOS_VERSION=${SEABIOS_VERSION:-$(tar JxfO qemu-$SOURCE_VERSION$VERSION_EXTRA.tar.xz \
qemu-$SOURCE_VERSION/roms/seabios/.version | cut -d '-' -f 2) qemu-$SOURCE_VERSION/roms/seabios/.version | cut -d '-' -f 2)}
for package in qemu; do for package in qemu; do
while IFS= read -r line; do while IFS= read -r line; do
@ -507,18 +507,16 @@ rm -rf $BUNDLE_DIR
echo "%patch$NUM -p1" echo "%patch$NUM -p1"
fi fi
done done
elif [ "$line" = "QEMU_VERSION" ]; then elif [ "$line" = "INSERT_VERSIONING" ]; then
echo "%define qemuver $QEMU_VERSION$VERSION_EXTRA" echo "%define qemuver $QEMU_VERSION$VERSION_EXTRA"
echo "%define srcver $SOURCE_VERSION$VERSION_EXTRA" echo "%define srcver $SOURCE_VERSION$VERSION_EXTRA"
echo "Version: %qemuver" echo "%define sbver $SEABIOS_VERSION"
elif [[ "$line" =~ ^Source: ]]; then elif [[ "$line" =~ ^Source: ]]; then
echo "$line" echo "$line"
if [ ${#QEMU_TARBALL_SIG[@]} -eq 1 ]; then if [ ${#QEMU_TARBALL_SIG[@]} -eq 1 ]; then
# We assume the signature file corresponds - just add .sig # We assume the signature file corresponds - just add .sig
echo "$line.sig"|sed 's/^Source: /Source99:/' echo "$line.sig"|sed 's/^Source: /Source99:/'
fi fi
elif [ "$line" = "SEABIOS_VERSION" ]; then
echo "Version: $SEABIOS_VERSION"
else else
echo "$line" echo "$line"
fi fi