On Wed, Jan 10, 2018 at 11:22:12 +0000, Daniel P. Berrange wrote:
On Tue, Jan 09, 2018 at 11:45:13PM +0100, Jiri Denemark wrote:
> This is the libvirt's part of the changes related to CVE-2017-5715. The
> new models can be used to pass the protective CPU features to guests.
> But remember, the host CPU microcode, host kernel, QEMU, and libvirt all
> need to be updated for this to be any useful.
>
> Based on a patch from Paolo Bonzini.
You likely also want this pre-requisite series for libvirt:
https://www.redhat.com/archives/libvir-list/2018-January/msg00114.html
This ensures libvirt's cache of QEMU CPU model info is updated when the
host CPU microcode changes. Without that patch, libvirt might not pick
up the changed QEMU CPU models if the microcode update RPM was installed
after the updated QEMU RPM.
Oh yes, I wanted to mention this, but I forgot to do so :(
You may also need some patches from another series (which I've just
pushed):
https://www.redhat.com/archives/libvir-list/2018-January/msg00237.html
The first patch is needed for all the new tests to pass.
And the third patch is needed if the new CPU models are defined via
inheritance rather than from scratch. This is not an issue for the
patches in this series, but some downstreams might have decided to do
just that.
Jirka