rpms
/
qemu
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

New CPU features for speculative store bypass (CVE-2018-3639) 

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-06-18 13:45:14 +01:00
parent 330481bc1c
commit b91dae7a8f
4 changed files with 250 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch Normal file
View File

@ -0,0 +1,51 @@
From 7920d78dc80e7206e07f2a35f942e9f33174d251 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
Date: Mon, 21 May 2018 22:54:22 +0100
Subject: [PATCH 1/3] i386: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
New microcode introduces the "Speculative Store Bypass Disable"
CPUID feature bit. This needs to be exposed to guest OS to allow
them to protect against CVE-2018-3639.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Message-Id: <20180521215424.13520-2-berrange@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit d19d1f965904a533998739698020ff4ee8a103da)
---
target/i386/cpu.c | 2 +-
target/i386/cpu.h | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index a20fe26573..2f5263e22f 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -510,7 +510,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, "spec-ctrl", NULL,
- NULL, NULL, NULL, NULL,
+ NULL, NULL, NULL, "ssbd",
},
.cpuid_eax = 7,
.cpuid_needs_ecx = true, .cpuid_ecx = 0,
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 1b219fafc4..970ab96e54 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -684,6 +684,7 @@ typedef uint32_t FeatureWordArray[FEATURE_WORDS];
#define CPUID_7_0_EDX_AVX512_4VNNIW (1U << 2) /* AVX512 Neural Network Instructions */
#define CPUID_7_0_EDX_AVX512_4FMAPS (1U << 3) /* AVX512 Multiply Accumulation Single Precision */
#define CPUID_7_0_EDX_SPEC_CTRL (1U << 26) /* Speculation Control */
+#define CPUID_7_0_EDX_SPEC_CTRL_SSBD (1U << 31) /* Speculative Store Bypass Disable */
#define KVM_HINTS_DEDICATED (1U << 0)
--
2.17.0

148
0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch Normal file
View File

@ -0,0 +1,148 @@
From 70913a1bded444b1d264c3723fca2f6a7966d667 Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Mon, 21 May 2018 22:54:24 +0100
Subject: [PATCH 2/3] i386: Define the Virt SSBD MSR and handling of it
(CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
"Some AMD processors only support a non-architectural means of enabling
speculative store bypass disable (SSBD). To allow a simplified view of
this to a guest, an architectural definition has been created through a new
CPUID bit, 0x80000008_EBX[25], and a new MSR, 0xc001011f. With this, a
hypervisor can virtualize the existence of this definition and provide an
architectural method for using SSBD to a guest.
Add the new CPUID feature, the new MSR and update the existing SSBD
support to use this MSR when present." (from x86/speculation: Add virtualized
speculative store bypass disable support in Linux).
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20180521215424.13520-4-berrange@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit cfeea0c021db6234c154dbc723730e81553924ff)
---
target/i386/cpu.h | 2 ++
target/i386/kvm.c | 16 ++++++++++++++--
target/i386/machine.c | 20 ++++++++++++++++++++
3 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/target/i386/cpu.h b/target/i386/cpu.h
index 970ab96e54..75e821cefe 100644
--- a/target/i386/cpu.h
+++ b/target/i386/cpu.h
@@ -351,6 +351,7 @@ typedef enum X86Seg {
#define MSR_IA32_FEATURE_CONTROL 0x0000003a
#define MSR_TSC_ADJUST 0x0000003b
#define MSR_IA32_SPEC_CTRL 0x48
+#define MSR_VIRT_SSBD 0xc001011f
#define MSR_IA32_TSCDEADLINE 0x6e0
#define FEATURE_CONTROL_LOCKED (1<<0)
@@ -1150,6 +1151,7 @@ typedef struct CPUX86State {
uint32_t pkru;
uint64_t spec_ctrl;
+ uint64_t virt_ssbd;
/* End of state preserved by INIT (dummy marker). */
struct {} end_init_save;
diff --git a/target/i386/kvm.c b/target/i386/kvm.c
index 6c49954e68..19e6aa320d 100644
--- a/target/i386/kvm.c
+++ b/target/i386/kvm.c
@@ -92,6 +92,7 @@ static bool has_msr_hv_stimer;
static bool has_msr_hv_frequencies;
static bool has_msr_xss;
static bool has_msr_spec_ctrl;
+static bool has_msr_virt_ssbd;
static bool has_msr_smi_count;
static uint32_t has_architectural_pmu_version;
@@ -1218,6 +1219,9 @@ static int kvm_get_supported_msrs(KVMState *s)
case MSR_IA32_SPEC_CTRL:
has_msr_spec_ctrl = true;
break;
+ case MSR_VIRT_SSBD:
+ has_msr_virt_ssbd = true;
+ break;
}
}
}
@@ -1706,6 +1710,10 @@ static int kvm_put_msrs(X86CPU *cpu, int level)
if (has_msr_spec_ctrl) {
kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, env->spec_ctrl);
}
+ if (has_msr_virt_ssbd) {
+ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, env->virt_ssbd);
+ }
+
#ifdef TARGET_X86_64
if (lm_capable_kernel) {
kvm_msr_entry_add(cpu, MSR_CSTAR, env->cstar);
@@ -2077,8 +2085,9 @@ static int kvm_get_msrs(X86CPU *cpu)
if (has_msr_spec_ctrl) {
kvm_msr_entry_add(cpu, MSR_IA32_SPEC_CTRL, 0);
}
-
-
+ if (has_msr_virt_ssbd) {
+ kvm_msr_entry_add(cpu, MSR_VIRT_SSBD, 0);
+ }
if (!env->tsc_valid) {
kvm_msr_entry_add(cpu, MSR_IA32_TSC, 0);
env->tsc_valid = !runstate_is_running();
@@ -2444,6 +2453,9 @@ static int kvm_get_msrs(X86CPU *cpu)
case MSR_IA32_SPEC_CTRL:
env->spec_ctrl = msrs[i].data;
break;
+ case MSR_VIRT_SSBD:
+ env->virt_ssbd = msrs[i].data;
+ break;
case MSR_IA32_RTIT_CTL:
env->msr_rtit_ctrl = msrs[i].data;
break;
diff --git a/target/i386/machine.c b/target/i386/machine.c
index bd2d82e91b..f0a835c292 100644
--- a/target/i386/machine.c
+++ b/target/i386/machine.c
@@ -893,6 +893,25 @@ static const VMStateDescription vmstate_msr_intel_pt = {
}
};
+static bool virt_ssbd_needed(void *opaque)
+{
+ X86CPU *cpu = opaque;
+ CPUX86State *env = &cpu->env;
+
+ return env->virt_ssbd != 0;
+}
+
+static const VMStateDescription vmstate_msr_virt_ssbd = {
+ .name = "cpu/virt_ssbd",
+ .version_id = 1,
+ .minimum_version_id = 1,
+ .needed = virt_ssbd_needed,
+ .fields = (VMStateField[]){
+ VMSTATE_UINT64(env.virt_ssbd, X86CPU),
+ VMSTATE_END_OF_LIST()
+ }
+};
+
VMStateDescription vmstate_x86_cpu = {
.name = "cpu",
.version_id = 12,
@@ -1015,6 +1034,7 @@ VMStateDescription vmstate_x86_cpu = {
&vmstate_spec_ctrl,
&vmstate_mcg_ext_ctl,
&vmstate_msr_intel_pt,
+ &vmstate_msr_virt_ssbd,
NULL
}
};
--
2.17.0

41
0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch Normal file
View File

@ -0,0 +1,41 @@
From f956cd4aed74d55ecc03d3c33ea66b1d933cb28f Mon Sep 17 00:00:00 2001
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Date: Mon, 21 May 2018 22:54:23 +0100
Subject: [PATCH 3/3] i386: define the AMD 'virt-ssbd' CPUID feature bit
(CVE-2018-3639)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
AMD Zen expose the Intel equivalant to Speculative Store Bypass Disable
via the 0x80000008_EBX[25] CPUID feature bit.
This needs to be exposed to guest OS to allow them to protect
against CVE-2018-3639.
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Message-Id: <20180521215424.13520-3-berrange@redhat.com>
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
(cherry picked from commit 403503b162ffc33fb64cfefdf7b880acf41772cd)
---
target/i386/cpu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/target/i386/cpu.c b/target/i386/cpu.c
index 2f5263e22f..2e305ab689 100644
--- a/target/i386/cpu.c
+++ b/target/i386/cpu.c
@@ -541,7 +541,7 @@ static FeatureWordInfo feature_word_info[FEATURE_WORDS] = {
"ibpb", NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL,
- NULL, NULL, NULL, NULL,
+ NULL, "virt-ssbd", NULL, NULL,
NULL, NULL, NULL, NULL,
},
.cpuid_eax = 0x80000008,
--
2.17.0

11
qemu.spec
View File

@ -104,7 +104,7 @@ Requires: %{name}-ui-sdl = %{epoch}:%{version}-%{release}
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.12.0
Release: 2%{?rcrel}%{?dist}
Release: 3%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY
URL: http://www.qemu.org/
@ -140,6 +140,12 @@ Source22: 95-kvm-ppc64-memlock.conf
# Fix qxl memslot_get_virt crashes (bz #1565354)
Patch0001: 0001-qxl-fix-local-renderer-crash.patch
Patch0002: 0001-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
Patch0003: 0002-i386-Define-the-Virt-SSBD-MSR-and-handling-of-it-CVE.patch
Patch0004: 0003-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit-CVE-.patch
# documentation deps
BuildRequires: texinfo
# For /usr/bin/pod2man
@ -1666,6 +1672,9 @@ getent passwd qemu >/dev/null || \
%changelog
* Mon Jun 18 2018 Daniel P. Berrangé <berrange@redhat.com> - 2:2.12.0-3
- New CPU features for speculative store bypass (CVE-2018-3639)
* Tue Jun 05 2018 Cole Robinson <crobinso@redhat.com> - 2:2.12.0-2
- Fix qxl memslot_get_virt crashes (bz #1565354)