diff --git a/1dbca2ec-CVE-2018-3639.patch b/1dbca2ec-CVE-2018-3639.patch new file mode 100644 index 0000000..96e66c8 --- /dev/null +++ b/1dbca2ec-CVE-2018-3639.patch @@ -0,0 +1,27 @@ +commit 1dbca2eccad58d91a5fd33962854f1a653638182 +Author: Daniel P. Berrangé +Date: Mon May 21 23:05:07 2018 +0100 + + cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639) + + New microcode introduces the "Speculative Store Bypass Disable" + CPUID feature bit. This needs to be exposed to guest OS to allow + them to protect against CVE-2018-3639. + + Signed-off-by: Daniel P. Berrangé + Reviewed-by: Jiri Denemark + +Index: libvirt-4.3.0/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml ++++ libvirt-4.3.0/src/cpu/cpu_map.xml +@@ -298,6 +298,9 @@ + + + ++ ++ ++ + + + diff --git a/92673422-CVE-2018-3639.patch b/92673422-CVE-2018-3639.patch new file mode 100644 index 0000000..16e3abf --- /dev/null +++ b/92673422-CVE-2018-3639.patch @@ -0,0 +1,37 @@ +commit 9267342206ce17f6933d57a3128cdc504d5945c9 +Author: Daniel P. Berrangé +Date: Mon May 21 23:05:08 2018 +0100 + + cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639) + + Some AMD processors only support a non-architectural means of + enabling Speculative Store Bypass Disable. To allow simplified + handling in virtual environments, hypervisors will expose an + architectural definition through CPUID bit 0x80000008_EBX[25]. + This needs to be exposed to guest OS running on AMD x86 hosts to + allow them to protect against CVE-2018-3639. + + Note that since this CPUID bit won't be present in the host CPUID + results on physical hosts, it will not be enabled automatically + in guests configured with "host-model" CPU unless using QEMU + version >= 2.9.0. Thus for older versions of QEMU, this feature + must be manually enabled using policy=force. Guests using the + "host-passthrough" CPU mode do not need special handling. + + Signed-off-by: Daniel P. Berrangé + Reviewed-by: Jiri Denemark + +Index: libvirt-4.3.0/src/cpu/cpu_map.xml +=================================================================== +--- libvirt-4.3.0.orig/src/cpu/cpu_map.xml ++++ libvirt-4.3.0/src/cpu/cpu_map.xml +@@ -433,6 +433,9 @@ + + + ++ ++ ++ + + + diff --git a/libvirt-power8-models.patch b/libvirt-power8-models.patch index 5d85b0c..705ff54 100644 --- a/libvirt-power8-models.patch +++ b/libvirt-power8-models.patch @@ -6,7 +6,7 @@ Index: libvirt-4.3.0/src/cpu/cpu_map.xml =================================================================== --- libvirt-4.3.0.orig/src/cpu/cpu_map.xml +++ libvirt-4.3.0/src/cpu/cpu_map.xml -@@ -2349,6 +2349,8 @@ +@@ -2355,6 +2355,8 @@ diff --git a/libvirt.changes b/libvirt.changes index 701d060..0283c09 100644 --- a/libvirt.changes +++ b/libvirt.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue May 22 14:44:51 UTC 2018 - jfehlig@suse.com + +- cpu: add support for 'ssbd' and 'virt-ssbd' CPUID feature bits + CVE-2018-3639 + 1dbca2ec-CVE-2018-3639.patch, 92673422-CVE-2018-3639.patch + bsc#1092885 + ------------------------------------------------------------------- Mon May 7 17:06:10 UTC 2018 - jfehlig@suse.com diff --git a/libvirt.spec b/libvirt.spec index cd135d9..a6c2388 100644 --- a/libvirt.spec +++ b/libvirt.spec @@ -323,6 +323,8 @@ Source6: libvirtd-relocation-server.xml Source99: baselibs.conf Source100: %{name}-rpmlintrc # Upstream patches +Patch0: 1dbca2ec-CVE-2018-3639.patch +Patch1: 92673422-CVE-2018-3639.patch # Patches pending upstream review Patch100: libxl-dom-reset.patch Patch101: network-don-t-use-dhcp-authoritative-on-static-netwo.patch @@ -907,6 +909,8 @@ libvirt plugin for NSS for translating domain names into IP addresses. %prep %setup -q +%patch0 -p1 +%patch1 -p1 %patch100 -p1 %patch101 -p1 %patch150 -p1