[libvirt] [PATCH 00/17] CPU models and features for Spectre, CVE-2017-5715

Daniel P. Berrange berrange at redhat.com
Wed Jan 10 11:22:12 UTC 2018 

On Tue, Jan 09, 2018 at 11:45:13PM +0100, Jiri Denemark wrote:
> This is the libvirt's part of the changes related to CVE-2017-5715. The
> new models can be used to pass the protective CPU features to guests.
> But remember, the host CPU microcode, host kernel, QEMU, and libvirt all
> need to be updated for this to be any useful.
> 
> Based on a patch from Paolo Bonzini.

You likely also want this pre-requisite series for libvirt:

  https://www.redhat.com/archives/libvir-list/2018-January/msg00114.html

This ensures libvirt's cache of QEMU CPU model info is updated when the
host CPU microcode changes. Without that patch, libvirt might not pick
up the changed QEMU CPU models if the microcode update RPM was installed
after the updated QEMU RPM.

> 
> See QEMU patches from Eduardo for more details:
> https://patchew.org/QEMU/20180109154519.25634-1-ehabkost@redhat.com/
> 
> Jiri Denemark (16):
>   cputest: Add data for Intel(R) Xeon(R) CPU E5-2609 v3
>   cputest: Add data for Intel(R) Xeon(R) CPU E5-2623 v4
>   cputest: Add data for Intel(R) Xeon(R) Gold 5115 CPU
>   cputest: Add data for updated AMD EPYC 7601 32-Core Processor
>   cputest: Add data for updated Intel(R) Core(TM) i7-5600U CPU
>   cpu: Add Nehalem-IBRS CPU model
>   cpu: Add Westmere-IBRS CPU model
>   cpu: Add SandyBridge-IBRS CPU model
>   cpu: Add IvyBridge-IBRS CPU model
>   cpu: Add Haswell-noTSX-IBRS CPU model
>   cpu: Add Haswell-IBRS CPU model
>   cpu: Add Broadwell-noTSX-IBRS CPU model
>   cpu: Add Broadwell-IBRS CPU model
>   cpu: Add Skylake-Client-IBRS CPU model
>   cpu: Add Skylake-Server-IBRS CPU model
>   cpu: Add EPYC-IBPB CPU model
> 
> Paolo Bonzini (1):
>   cpu: add CPU features for indirect branch prediction protection
> 
>  src/cpu/cpu_map.xml                                | 622 ++++++++++++++++++
>  tests/cputest.c                                    |   5 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs-disabled.xml   |   6 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs-enabled.xml    |   8 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs-guest.xml      |  29 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs-host.xml       |  30 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs-json.xml       |  15 +
>  .../x86_64-cpuid-Core-i7-5600U-ibrs.json           | 525 +++++++++++++++
>  .../x86_64-cpuid-Core-i7-5600U-ibrs.xml            |  41 ++
>  ...86_64-cpuid-EPYC-7601-32-Core-ibpb-disabled.xml |   7 +
>  ...x86_64-cpuid-EPYC-7601-32-Core-ibpb-enabled.xml |   9 +
>  .../x86_64-cpuid-EPYC-7601-32-Core-ibpb-guest.xml  |  17 +
>  .../x86_64-cpuid-EPYC-7601-32-Core-ibpb-host.xml   |  17 +
>  .../x86_64-cpuid-EPYC-7601-32-Core-ibpb-json.xml   |  12 +
>  .../x86_64-cpuid-EPYC-7601-32-Core-ibpb.json       | 722 ++++++++++++++++++++
>  .../x86_64-cpuid-EPYC-7601-32-Core-ibpb.xml        |  54 ++
>  .../x86_64-cpuid-Xeon-E5-2609-v3-disabled.xml      |   6 +
>  .../x86_64-cpuid-Xeon-E5-2609-v3-enabled.xml       |   8 +
>  .../x86_64-cpuid-Xeon-E5-2609-v3-guest.xml         |  31 +
>  .../x86_64-cpuid-Xeon-E5-2609-v3-host.xml          |  32 +
>  .../x86_64-cpuid-Xeon-E5-2609-v3-json.xml          |  14 +
>  .../cputestdata/x86_64-cpuid-Xeon-E5-2609-v3.json  | 726 +++++++++++++++++++++
>  tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3.xml |  37 ++
>  .../x86_64-cpuid-Xeon-E5-2623-v4-disabled.xml      |   7 +
>  .../x86_64-cpuid-Xeon-E5-2623-v4-enabled.xml       |   8 +
>  .../x86_64-cpuid-Xeon-E5-2623-v4-guest.xml         |  30 +
>  .../x86_64-cpuid-Xeon-E5-2623-v4-host.xml          |  34 +
>  .../x86_64-cpuid-Xeon-E5-2623-v4-json.xml          |  11 +
>  .../cputestdata/x86_64-cpuid-Xeon-E5-2623-v4.json  | 662 +++++++++++++++++++
>  tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4.xml |  43 ++
>  .../x86_64-cpuid-Xeon-Gold-5115-disabled.xml       |   8 +
>  .../x86_64-cpuid-Xeon-Gold-5115-enabled.xml        |   8 +
>  .../x86_64-cpuid-Xeon-Gold-5115-guest.xml          |  29 +
>  .../x86_64-cpuid-Xeon-Gold-5115-host.xml           |  30 +
>  .../x86_64-cpuid-Xeon-Gold-5115-json.xml           |   8 +
>  tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115.json | 614 +++++++++++++++++
>  tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115.xml  |  54 ++
>  37 files changed, 4519 insertions(+)
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs-disabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs-enabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs-guest.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs-host.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs-json.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs.json
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Core-i7-5600U-ibrs.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb-disabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb-enabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb-guest.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb-host.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb-json.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb.json
>  create mode 100644 tests/cputestdata/x86_64-cpuid-EPYC-7601-32-Core-ibpb.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3-disabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3-enabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3-guest.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3-host.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3-json.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3.json
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2609-v3.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4-disabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4-enabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4-guest.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4-host.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4-json.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4.json
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-E5-2623-v4.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115-disabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115-enabled.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115-guest.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115-host.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115-json.xml
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115.json
>  create mode 100644 tests/cputestdata/x86_64-cpuid-Xeon-Gold-5115.xml
> 
> -- 
> 2.15.1
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list