[Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws

All of lore.kernel.org
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws
@ 2019-05-15 14:10 Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé
  0 siblings, 2 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel
  Cc: Paolo Bonzini, Daniel P. Berrangé, Eduardo Habkost,
	Richard Henderson

This patch series provides the new "md-clear" feature that is used
for mitigation with CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091.

Assuming you have the updated microcode and kernel to support the
md-clear feature, then using "-cpu host" will expose the new
feature to guests. For named CPU models, it must be explicitly
added eg "-cpu Haswell,+md-clear"

The first patch from Paolo is what most distros will already be
shipping with their security updates for this issue.

Daniel P. Berrangé (1):
  docs: recommend use of md-clear feature on all Intel CPUs

Paolo Bonzini (1):
  target/i386: define md-clear bit

 docs/qemu-cpu-models.texi | 12 ++++++++++++
 target/i386/cpu.c         |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.21.0

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit
  2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
@ 2019-05-15 14:10 ` Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel; +Cc: Paolo Bonzini, Eduardo Habkost, Richard Henderson

From: Paolo Bonzini <pbonzini@redhat.com>

md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 722c5514d4..4fa67bcfaf 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1077,7 +1077,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
         .feat_names = {
             NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
             NULL, NULL, NULL, NULL,
-            NULL, NULL, NULL, NULL,
+            NULL, NULL, "md-clear", NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
-- 
2.21.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs
  2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
@ 2019-05-15 14:10 ` Daniel P. Berrangé
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel
  Cc: Paolo Bonzini, Daniel P. Berrangé, Eduardo Habkost,
	Richard Henderson

Update x86 CPU model guidance to recommend that the md-clear feature is
manually enabled with all Intel CPU models, when supported by the host
microcode.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/qemu-cpu-models.texi | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
index 23c11dc86f..ad040cfc98 100644
--- a/docs/qemu-cpu-models.texi
+++ b/docs/qemu-cpu-models.texi
@@ -200,6 +200,18 @@ Not included by default in any Intel CPU model.
 Should be explicitly turned on for all Intel CPU models.
 
 Note that not all CPU hardware will support this feature.
+
+@item @code{md-clear}
+
+Required to confirm the MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
+CVE-2019-11091) fixes.
+
+Not included by default in any Intel CPU model.
+
+Must be explicitly turned on for all Intel CPU models.
+
+Requires the host CPU microcode to support this feature before it
+can be used for guest CPUs.
 @end table
 
 
-- 
2.21.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-05-15 14:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.