[Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws

qemu-devel.nongnu.org archive mirror
 help / color / mirror / Atom feed

* [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws
@ 2019-05-15 14:10 Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé
  0 siblings, 2 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel
  Cc: Paolo Bonzini, Daniel P. Berrangé, Eduardo Habkost,
	Richard Henderson

This patch series provides the new "md-clear" feature that is used
for mitigation with CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
CVE-2019-11091.

Assuming you have the updated microcode and kernel to support the
md-clear feature, then using "-cpu host" will expose the new
feature to guests. For named CPU models, it must be explicitly
added eg "-cpu Haswell,+md-clear"

The first patch from Paolo is what most distros will already be
shipping with their security updates for this issue.

Daniel P. Berrangé (1):
  docs: recommend use of md-clear feature on all Intel CPUs

Paolo Bonzini (1):
  target/i386: define md-clear bit

 docs/qemu-cpu-models.texi | 12 ++++++++++++
 target/i386/cpu.c         |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

-- 
2.21.0

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit
  2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
@ 2019-05-15 14:10 ` Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel; +Cc: Paolo Bonzini, Eduardo Habkost, Richard Henderson

From: Paolo Bonzini <pbonzini@redhat.com>

md-clear is a new CPUID bit which is set when microcode provides the
mechanism to invoke a flush of various exploitable CPU buffers by invoking
the VERW instruction.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 target/i386/cpu.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 722c5514d4..4fa67bcfaf 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -1077,7 +1077,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
         .feat_names = {
             NULL, NULL, "avx512-4vnniw", "avx512-4fmaps",
             NULL, NULL, NULL, NULL,
-            NULL, NULL, NULL, NULL,
+            NULL, NULL, "md-clear", NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
             NULL, NULL, NULL, NULL,
-- 
2.21.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs
  2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
  2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
@ 2019-05-15 14:10 ` Daniel P. Berrangé
  1 sibling, 0 replies; 3+ messages in thread
From: Daniel P. Berrangé @ 2019-05-15 14:10 UTC (permalink / raw)
  To: qemu-devel
  Cc: Paolo Bonzini, Daniel P. Berrangé, Eduardo Habkost,
	Richard Henderson

Update x86 CPU model guidance to recommend that the md-clear feature is
manually enabled with all Intel CPU models, when supported by the host
microcode.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 docs/qemu-cpu-models.texi | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
index 23c11dc86f..ad040cfc98 100644
--- a/docs/qemu-cpu-models.texi
+++ b/docs/qemu-cpu-models.texi
@@ -200,6 +200,18 @@ Not included by default in any Intel CPU model.
 Should be explicitly turned on for all Intel CPU models.
 
 Note that not all CPU hardware will support this feature.
+
+@item @code{md-clear}
+
+Required to confirm the MDS (CVE-2018-12126, CVE-2018-12127, CVE-2018-12130,
+CVE-2019-11091) fixes.
+
+Not included by default in any Intel CPU model.
+
+Must be explicitly turned on for all Intel CPU models.
+
+Requires the host CPU microcode to support this feature before it
+can be used for guest CPUs.
 @end table
 
 
-- 
2.21.0



^ permalink raw reply related	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2019-05-15 14:13 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-15 14:10 [Qemu-devel] [PATCH 0/2] x86/cpu: add "md-clear" feature for MDS security flaws Daniel P. Berrangé
2019-05-15 14:10 ` [Qemu-devel] [PATCH 1/2] target/i386: define md-clear bit Daniel P. Berrangé
2019-05-15 14:10 ` [Qemu-devel] [PATCH 2/2] docs: recommend use of md-clear feature on all Intel CPUs Daniel P. Berrangé

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).