[libvirt] [PATCH 0/2] Mitigation for Microarchitectural Data Sampling CPU flaws
This series introduces the libvirt side of mitigations for Microarchitectural Data Sampling microprocessor flaws (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) which were published earlier today. To protect your system against possible attacks exploiting these flaws updates to the CPU microcode, Linux kernel, and virtualization stack (QEMU, libvirt, and higher management apps) are required. See https://access.redhat.com/security/vulnerabilities/mds for more details and additional links. Both patches have already been pushed. Jiri Denemark (2): cputest: Add data for Intel(R) Xeon(R) CPU E3-1225 v5 cpu_map: Define md-clear CPUID bit src/cpu_map/x86_features.xml | 3 + tests/cputest.c | 1 + .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml | 7 + .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 8 + .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 29 + .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 30 + .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 12 + .../x86_64-cpuid-Xeon-E3-1225-v5.json | 652 ++++++++++++++++++ .../x86_64-cpuid-Xeon-E3-1225-v5.sig | 4 + .../x86_64-cpuid-Xeon-E3-1225-v5.xml | 47 ++ .../x86_64-cpuid-Xeon-Platinum-8268-guest.xml | 1 + .../x86_64-cpuid-Xeon-Platinum-8268-host.xml | 1 + 12 files changed, 795 insertions(+) create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml -- 2.21.0
Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- tests/cputest.c | 1 + .../x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml | 7 + .../x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 8 + .../x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 28 + .../x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 29 + .../x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 11 + .../x86_64-cpuid-Xeon-E3-1225-v5.json | 652 ++++++++++++++++++ .../x86_64-cpuid-Xeon-E3-1225-v5.sig | 4 + .../x86_64-cpuid-Xeon-E3-1225-v5.xml | 47 ++ 9 files changed, 787 insertions(+) create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml diff --git a/tests/cputest.c b/tests/cputest.c index 1ade8091b2..e176739965 100644 --- a/tests/cputest.c +++ b/tests/cputest.c @@ -1272,6 +1272,7 @@ mymain(void) DO_TEST_CPUID(VIR_ARCH_X86_64, "Phenom-B95", JSON_HOST); DO_TEST_CPUID(VIR_ARCH_X86_64, "Ryzen-7-1800X-Eight-Core", JSON_HOST); DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-5110", JSON_NONE); + DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1225-v5", JSON_MODELS); DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E3-1245-v5", JSON_MODELS); DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2609-v3", JSON_MODELS); DO_TEST_CPUID(VIR_ARCH_X86_64, "Xeon-E5-2623-v4", JSON_MODELS); diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml new file mode 100644 index 0000000000..ce51903e53 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-disabled.xml @@ -0,0 +1,7 @@ +<!-- Features disabled by QEMU --> +<cpudata arch='x86'> + <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x0800c1fc' edx='0xb0600000'/> + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x02000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/> +</cpudata> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml new file mode 100644 index 0000000000..0deca9fba6 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml @@ -0,0 +1,8 @@ +<!-- Features enabled by QEMU --> +<cpudata arch='x86'> + <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/> + <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> +</cpudata> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml new file mode 100644 index 0000000000..70a0fc3286 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml @@ -0,0 +1,28 @@ +<cpu mode='custom' match='exact'> + <model fallback='forbid'>Skylake-Client-IBRS</model> + <vendor>Intel</vendor> + <feature policy='require' name='ds'/> + <feature policy='require' name='acpi'/> + <feature policy='require' name='ss'/> + <feature policy='require' name='ht'/> + <feature policy='require' name='tm'/> + <feature policy='require' name='pbe'/> + <feature policy='require' name='dtes64'/> + <feature policy='require' name='monitor'/> + <feature policy='require' name='ds_cpl'/> + <feature policy='require' name='vmx'/> + <feature policy='require' name='smx'/> + <feature policy='require' name='est'/> + <feature policy='require' name='tm2'/> + <feature policy='require' name='xtpr'/> + <feature policy='require' name='pdcm'/> + <feature policy='require' name='osxsave'/> + <feature policy='require' name='tsc_adjust'/> + <feature policy='require' name='clflushopt'/> + <feature policy='require' name='intel-pt'/> + <feature policy='require' name='stibp'/> + <feature policy='require' name='ssbd'/> + <feature policy='require' name='xsaves'/> + <feature policy='require' name='pdpe1gb'/> + <feature policy='require' name='invtsc'/> +</cpu> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml new file mode 100644 index 0000000000..bbdfb6aa61 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml @@ -0,0 +1,29 @@ +<cpu> + <arch>x86_64</arch> + <model>Skylake-Client-IBRS</model> + <vendor>Intel</vendor> + <feature name='ds'/> + <feature name='acpi'/> + <feature name='ss'/> + <feature name='ht'/> + <feature name='tm'/> + <feature name='pbe'/> + <feature name='dtes64'/> + <feature name='monitor'/> + <feature name='ds_cpl'/> + <feature name='vmx'/> + <feature name='smx'/> + <feature name='est'/> + <feature name='tm2'/> + <feature name='xtpr'/> + <feature name='pdcm'/> + <feature name='osxsave'/> + <feature name='tsc_adjust'/> + <feature name='clflushopt'/> + <feature name='intel-pt'/> + <feature name='stibp'/> + <feature name='ssbd'/> + <feature name='xsaves'/> + <feature name='pdpe1gb'/> + <feature name='invtsc'/> +</cpu> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml new file mode 100644 index 0000000000..1f321db273 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml @@ -0,0 +1,11 @@ +<cpu mode='custom' match='exact'> + <model fallback='forbid'>Skylake-Client-IBRS</model> + <vendor>Intel</vendor> + <feature policy='require' name='ss'/> + <feature policy='require' name='hypervisor'/> + <feature policy='require' name='tsc_adjust'/> + <feature policy='require' name='clflushopt'/> + <feature policy='require' name='stibp'/> + <feature policy='require' name='ssbd'/> + <feature policy='require' name='pdpe1gb'/> +</cpu> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json new file mode 100644 index 0000000000..084747556b --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.json @@ -0,0 +1,652 @@ +{ + "return": { + "model": { + "name": "base", + "props": { + "phys-bits": 0, + "core-id": -1, + "xlevel": 2147483656, + "cmov": true, + "ia64": false, + "aes": true, + "mmx": true, + "rdpid": false, + "arat": true, + "gfni": false, + "pause-filter": false, + "xsavec": true, + "intel-pt": false, + "osxsave": false, + "hv-frequencies": false, + "tsc-frequency": 0, + "xd": true, + "hv-vendor-id": "", + "kvm-asyncpf": true, + "kvm_asyncpf": true, + "perfctr_core": false, + "perfctr-core": false, + "mpx": true, + "pbe": false, + "decodeassists": false, + "avx512cd": false, + "sse4_1": true, + "sse4.1": true, + "sse4-1": true, + "family": 6, + "legacy-cache": true, + "vmware-cpuid-freq": true, + "avx512f": false, + "msr": true, + "mce": true, + "mca": true, + "hv-runtime": false, + "xcrypt": false, + "thread-id": -1, + "min-level": 13, + "xgetbv1": true, + "cid": false, + "hv-relaxed": false, + "hv-crash": false, + "ds": false, + "fxsr": true, + "xsaveopt": true, + "xtpr": false, + "avx512vl": false, + "avx512-vpopcntdq": false, + "phe": false, + "extapic": false, + "3dnowprefetch": true, + "avx512vbmi2": false, + "cr8legacy": false, + "stibp": true, + "cpuid-0xb": true, + "xcrypt-en": false, + "kvm_pv_eoi": true, + "apic-id": 4294967295, + "pn": false, + "dca": false, + "vendor": "GenuineIntel", + "pku": false, + "smx": false, + "cmp_legacy": false, + "cmp-legacy": false, + "node-id": -1, + "avx512-4fmaps": false, + "vmcb_clean": false, + "vmcb-clean": false, + "3dnowext": false, + "hle": true, + "npt": false, + "memory": "/machine/unattached/system[0]", + "clwb": false, + "lbrv": false, + "adx": true, + "ss": true, + "pni": true, + "svm_lock": false, + "svm-lock": false, + "pfthreshold": false, + "smep": true, + "smap": true, + "x2apic": true, + "avx512vbmi": false, + "avx512vnni": false, + "hv-stimer": false, + "i64": true, + "flushbyasid": false, + "f16c": true, + "ace2-en": false, + "pat": true, + "pae": true, + "sse": true, + "phe-en": false, + "kvm_nopiodelay": true, + "kvm-nopiodelay": true, + "tm": false, + "kvmclock-stable-bit": true, + "hypervisor": true, + "socket-id": -1, + "pcommit": false, + "syscall": true, + "level": 13, + "avx512dq": false, + "svm": false, + "full-cpuid-auto-level": true, + "hv-reset": false, + "invtsc": false, + "sse3": true, + "sse2": true, + "ssbd": true, + "est": false, + "avx512ifma": false, + "tm2": false, + "kvm-pv-eoi": true, + "cx8": true, + "kvm_mmu": false, + "kvm-mmu": false, + "sse4_2": true, + "sse4.2": true, + "sse4-2": true, + "pge": true, + "fill-mtrr-mask": true, + "avx512bitalg": false, + "nodeid_msr": false, + "pdcm": false, + "movbe": true, + "model": 94, + "nrip_save": false, + "nrip-save": false, + "kvm_pv_unhalt": true, + "ssse3": true, + "sse4a": false, + "invpcid": true, + "pdpe1gb": true, + "tsc-deadline": true, + "fma": true, + "cx16": true, + "de": true, + "enforce": false, + "stepping": 3, + "xsave": true, + "clflush": true, + "skinit": false, + "tsc": true, + "tce": false, + "fpu": true, + "ibs": false, + "ds_cpl": false, + "ds-cpl": false, + "host-phys-bits": true, + "fma4": false, + "la57": false, + "osvw": false, + "check": true, + "hv-spinlocks": -1, + "pmu": false, + "pmm": false, + "apic": true, + "spec-ctrl": true, + "min-xlevel2": 0, + "tsc-adjust": true, + "tsc_adjust": true, + "kvm-steal-time": true, + "kvm_steal_time": true, + "kvmclock": true, + "l3-cache": true, + "lwp": false, + "ibpb": false, + "xop": false, + "avx": true, + "ospke": false, + "ace2": false, + "avx512bw": false, + "acpi": false, + "hv-vapic": false, + "fsgsbase": true, + "ht": false, + "nx": true, + "pclmulqdq": true, + "mmxext": false, + "vaes": false, + "popcnt": true, + "xsaves": false, + "tcg-cpuid": true, + "lm": true, + "umip": false, + "pse": true, + "avx2": true, + "sep": true, + "pclmuldq": true, + "virt-ssbd": false, + "x-hv-max-vps": -1, + "nodeid-msr": false, + "md-clear": true, + "kvm": true, + "misalignsse": false, + "min-xlevel": 2147483656, + "kvm-pv-unhalt": true, + "bmi2": true, + "bmi1": true, + "realized": false, + "tsc_scale": false, + "tsc-scale": false, + "topoext": false, + "hv-vpindex": false, + "xlevel2": 0, + "clflushopt": true, + "kvm-no-smi-migration": false, + "monitor": false, + "avx512er": false, + "pmm-en": false, + "pcid": true, + "3dnow": false, + "erms": true, + "lahf-lm": true, + "lahf_lm": true, + "vpclmulqdq": false, + "fxsr-opt": false, + "hv-synic": false, + "xstore": false, + "fxsr_opt": false, + "kvm-hint-dedicated": false, + "rtm": true, + "lmce": true, + "hv-time": false, + "perfctr-nb": false, + "perfctr_nb": false, + "ffxsr": false, + "rdrand": true, + "rdseed": true, + "avx512-4vnniw": false, + "vmx": false, + "vme": true, + "dtes64": false, + "mtrr": true, + "rdtscp": true, + "pse36": true, + "kvm-pv-tlb-flush": false, + "tbm": false, + "wdt": false, + "pause_filter": false, + "sha-ni": false, + "model-id": "Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz", + "abm": true, + "avx512pf": false, + "xstore-en": false + } + } + }, + "id": "model-expansion" +} + +{ + "return": [ + { + "name": "max", + "typename": "max-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": false + }, + { + "name": "host", + "typename": "host-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": false + }, + { + "name": "base", + "typename": "base-x86_64-cpu", + "unavailable-features": [], + "static": true, + "migration-safe": true + }, + { + "name": "qemu64", + "typename": "qemu64-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "qemu32", + "typename": "qemu32-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "phenom", + "typename": "phenom-x86_64-cpu", + "unavailable-features": [ + "mmxext", + "fxsr-opt", + "3dnowext", + "3dnow", + "sse4a", + "npt" + ], + "static": false, + "migration-safe": true + }, + { + "name": "pentium3", + "typename": "pentium3-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "pentium2", + "typename": "pentium2-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "pentium", + "typename": "pentium-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "n270", + "typename": "n270-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "kvm64", + "typename": "kvm64-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "kvm32", + "typename": "kvm32-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "cpu64-rhel6", + "typename": "cpu64-rhel6-x86_64-cpu", + "unavailable-features": [ + "sse4a" + ], + "static": false, + "migration-safe": true + }, + { + "name": "coreduo", + "typename": "coreduo-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "core2duo", + "typename": "core2duo-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "athlon", + "typename": "athlon-x86_64-cpu", + "unavailable-features": [ + "mmxext", + "3dnowext", + "3dnow" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Westmere", + "typename": "Westmere-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Westmere-IBRS", + "typename": "Westmere-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Skylake-Server", + "typename": "Skylake-Server-x86_64-cpu", + "unavailable-features": [ + "avx512f", + "avx512dq", + "clwb", + "avx512cd", + "avx512bw", + "avx512vl", + "avx512f", + "avx512f", + "avx512f" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Skylake-Server-IBRS", + "typename": "Skylake-Server-IBRS-x86_64-cpu", + "unavailable-features": [ + "avx512f", + "avx512dq", + "clwb", + "avx512cd", + "avx512bw", + "avx512vl", + "avx512f", + "avx512f", + "avx512f" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Skylake-Client", + "typename": "Skylake-Client-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Skylake-Client-IBRS", + "typename": "Skylake-Client-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "SandyBridge", + "typename": "SandyBridge-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "SandyBridge-IBRS", + "typename": "SandyBridge-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Penryn", + "typename": "Penryn-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Opteron_G5", + "typename": "Opteron_G5-x86_64-cpu", + "unavailable-features": [ + "sse4a", + "misalignsse", + "xop", + "fma4", + "tbm" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Opteron_G4", + "typename": "Opteron_G4-x86_64-cpu", + "unavailable-features": [ + "sse4a", + "misalignsse", + "xop", + "fma4" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Opteron_G3", + "typename": "Opteron_G3-x86_64-cpu", + "unavailable-features": [ + "sse4a", + "misalignsse" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Opteron_G2", + "typename": "Opteron_G2-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Opteron_G1", + "typename": "Opteron_G1-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Nehalem", + "typename": "Nehalem-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Nehalem-IBRS", + "typename": "Nehalem-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "IvyBridge", + "typename": "IvyBridge-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "IvyBridge-IBRS", + "typename": "IvyBridge-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Haswell", + "typename": "Haswell-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Haswell-noTSX", + "typename": "Haswell-noTSX-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Haswell-noTSX-IBRS", + "typename": "Haswell-noTSX-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Haswell-IBRS", + "typename": "Haswell-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "EPYC", + "typename": "EPYC-x86_64-cpu", + "unavailable-features": [ + "sha-ni", + "mmxext", + "fxsr-opt", + "cr8legacy", + "sse4a", + "misalignsse", + "osvw" + ], + "static": false, + "migration-safe": true + }, + { + "name": "EPYC-IBPB", + "typename": "EPYC-IBPB-x86_64-cpu", + "unavailable-features": [ + "sha-ni", + "mmxext", + "fxsr-opt", + "cr8legacy", + "sse4a", + "misalignsse", + "osvw", + "ibpb" + ], + "static": false, + "migration-safe": true + }, + { + "name": "Conroe", + "typename": "Conroe-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Broadwell", + "typename": "Broadwell-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Broadwell-noTSX", + "typename": "Broadwell-noTSX-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Broadwell-noTSX-IBRS", + "typename": "Broadwell-noTSX-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "Broadwell-IBRS", + "typename": "Broadwell-IBRS-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + }, + { + "name": "486", + "typename": "486-x86_64-cpu", + "unavailable-features": [], + "static": false, + "migration-safe": true + } + ], + "id": "definitions" +} diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig new file mode 100644 index 0000000000..7e57c2ded6 --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.sig @@ -0,0 +1,4 @@ +0506e3 +family: 6 (0x06) +model: 94 (0x5e) +stepping: 3 (0x03) diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml new file mode 100644 index 0000000000..437429d61d --- /dev/null +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5.xml @@ -0,0 +1,47 @@ +<!-- Intel(R) Xeon(R) CPU E3-1225 v5 @ 3.30GHz --> +<cpudata arch='x86'> + <cpuid eax_in='0x00000000' ecx_in='0x00' eax='0x00000016' ebx='0x756e6547' ecx='0x6c65746e' edx='0x49656e69'/> + <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x000506e3' ebx='0x06100800' ecx='0x7ffafbff' edx='0xbfebfbff'/> + <cpuid eax_in='0x00000002' ecx_in='0x00' eax='0x76036301' ebx='0x00f0b6ff' ecx='0x00000000' edx='0x00c30000'/> + <cpuid eax_in='0x00000003' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000004' ecx_in='0x00' eax='0x1c004121' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/> + <cpuid eax_in='0x00000004' ecx_in='0x01' eax='0x1c004122' ebx='0x01c0003f' ecx='0x0000003f' edx='0x00000000'/> + <cpuid eax_in='0x00000004' ecx_in='0x02' eax='0x1c004143' ebx='0x00c0003f' ecx='0x000003ff' edx='0x00000000'/> + <cpuid eax_in='0x00000004' ecx_in='0x03' eax='0x1c03c163' ebx='0x03c0003f' ecx='0x00001fff' edx='0x00000006'/> + <cpuid eax_in='0x00000005' ecx_in='0x00' eax='0x00000040' ebx='0x00000040' ecx='0x00000003' edx='0x00142120'/> + <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x000027f7' ebx='0x00000002' ecx='0x00000009' edx='0x00000000'/> + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x029c6fbf' ecx='0x00000000' edx='0x9c002400'/> + <cpuid eax_in='0x00000008' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000009' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000a' ecx_in='0x00' eax='0x07300804' ebx='0x00000000' ecx='0x00000000' edx='0x00000603'/> + <cpuid eax_in='0x0000000b' ecx_in='0x00' eax='0x00000001' ebx='0x00000001' ecx='0x00000100' edx='0x00000006'/> + <cpuid eax_in='0x0000000b' ecx_in='0x01' eax='0x00000004' ebx='0x00000004' ecx='0x00000201' edx='0x00000006'/> + <cpuid eax_in='0x0000000c' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x00' eax='0x0000001f' ebx='0x00000440' ecx='0x00000440' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x0000000f' ebx='0x000003c0' ecx='0x00000100' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x02' eax='0x00000100' ebx='0x00000240' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x03' eax='0x00000040' ebx='0x000003c0' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x04' eax='0x00000040' ebx='0x00000400' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000d' ecx_in='0x08' eax='0x00000080' ebx='0x00000000' ecx='0x00000001' edx='0x00000000'/> + <cpuid eax_in='0x0000000e' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x0000000f' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000010' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000011' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000012' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000013' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000014' ecx_in='0x00' eax='0x00000001' ebx='0x0000000f' ecx='0x00000007' edx='0x00000000'/> + <cpuid eax_in='0x00000014' ecx_in='0x01' eax='0x02490002' ebx='0x003f3fff' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000015' ecx_in='0x00' eax='0x00000002' ebx='0x00000114' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x00000016' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> + <cpuid eax_in='0x80000000' ecx_in='0x00' eax='0x80000008' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> + <cpuid eax_in='0x80000002' ecx_in='0x00' eax='0x65746e49' ebx='0x2952286c' ecx='0x6f655820' edx='0x2952286e'/> + <cpuid eax_in='0x80000003' ecx_in='0x00' eax='0x55504320' ebx='0x2d334520' ecx='0x35323231' edx='0x20357620'/> + <cpuid eax_in='0x80000004' ecx_in='0x00' eax='0x2e332040' ebx='0x48473033' ecx='0x0000007a' edx='0x00000000'/> + <cpuid eax_in='0x80000005' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80000006' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x01006040' edx='0x00000000'/> + <cpuid eax_in='0x80000007' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000000' edx='0x00000100'/> + <cpuid eax_in='0x80000008' ecx_in='0x00' eax='0x00003027' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> + <cpuid eax_in='0x80860000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> + <cpuid eax_in='0xc0000000' ecx_in='0x00' eax='0x00000ce4' ebx='0x00000e74' ecx='0x00000064' edx='0x00000000'/> +</cpudata> -- 2.21.0
CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 The bit is set when microcode provides the mechanism to invoke a flush of various exploitable CPU buffers by invoking the VERW instruction. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Jiri Denemark <jdenemar@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> --- src/cpu_map/x86_features.xml | 3 +++ tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml | 2 +- tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml | 1 + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml | 1 + tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml | 1 + tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml | 1 + tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml | 1 + 7 files changed, 9 insertions(+), 1 deletion(-) diff --git a/src/cpu_map/x86_features.xml b/src/cpu_map/x86_features.xml index efcc10b1ae..370807f88e 100644 --- a/src/cpu_map/x86_features.xml +++ b/src/cpu_map/x86_features.xml @@ -320,6 +320,9 @@ <feature name='avx512-4fmaps'> <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000008'/> </feature> + <feature name='md-clear'> <!-- md_clear --> + <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00000400'/> + </feature> <feature name='pconfig'> <cpuid eax_in='0x07' ecx_in='0x00' edx='0x00040000'/> </feature> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml index 0deca9fba6..74763a462b 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-enabled.xml @@ -2,7 +2,7 @@ <cpudata arch='x86'> <cpuid eax_in='0x00000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0xf7fa3203' edx='0x0f8bfbff'/> <cpuid eax_in='0x00000006' ecx_in='0x00' eax='0x00000004' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> - <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000000'/> + <cpuid eax_in='0x00000007' ecx_in='0x00' eax='0x00000000' ebx='0x009c4fbb' ecx='0x00000000' edx='0x8c000400'/> <cpuid eax_in='0x0000000d' ecx_in='0x01' eax='0x00000007' ebx='0x00000000' ecx='0x00000000' edx='0x00000000'/> <cpuid eax_in='0x80000001' ecx_in='0x00' eax='0x00000000' ebx='0x00000000' ecx='0x00000121' edx='0x2c100800'/> </cpudata> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml index 70a0fc3286..867970d2c7 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-guest.xml @@ -20,6 +20,7 @@ <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='clflushopt'/> <feature policy='require' name='intel-pt'/> + <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaves'/> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml index bbdfb6aa61..e7ced42797 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-host.xml @@ -21,6 +21,7 @@ <feature name='tsc_adjust'/> <feature name='clflushopt'/> <feature name='intel-pt'/> + <feature name='md-clear'/> <feature name='stibp'/> <feature name='ssbd'/> <feature name='xsaves'/> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml index 1f321db273..a5591278df 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-E3-1225-v5-json.xml @@ -5,6 +5,7 @@ <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='clflushopt'/> + <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='pdpe1gb'/> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml index cc1fc90c45..c7e8a1fccf 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-guest.xml @@ -23,6 +23,7 @@ <feature policy='require' name='intel-pt'/> <feature policy='require' name='pku'/> <feature policy='require' name='ospke'/> + <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> diff --git a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml index dfabdc57c7..d7482751b4 100644 --- a/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml +++ b/tests/cputestdata/x86_64-cpuid-Xeon-Platinum-8268-host.xml @@ -24,6 +24,7 @@ <feature name='intel-pt'/> <feature name='pku'/> <feature name='ospke'/> + <feature name='md-clear'/> <feature name='stibp'/> <feature name='arch-capabilities'/> <feature name='xsaves'/> -- 2.21.0
On Tue, May 14, 2019 at 08:03:48PM +0200, Jiri Denemark wrote:
This series introduces the libvirt side of mitigations for Microarchitectural Data Sampling microprocessor flaws (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091) which were published earlier today.
To protect your system against possible attacks exploiting these flaws updates to the CPU microcode, Linux kernel, and virtualization stack (QEMU, libvirt, and higher management apps) are required.
See https://access.redhat.com/security/vulnerabilities/mds for more details and additional links.
Both patches have already been pushed.
FYI I have pushed cherry picks to v4.7-maint, v5.1-maint, and v5.3-maint which are the versions we have in active Fedora use. I'll see about getting them backported to further maint branches as we have patches from RHEL that should apply fairly easily to quite a few other maint branches upstream. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
participants (2)
-
Daniel P. Berrangé -
Jiri Denemark