[pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jan 5 11:25:51 CET 2018


On Thu, Jan 04, 2018 at 09:08:32PM +0100, Stefan Priebe - Profihost AG wrote:
> 
> Here we go - attached is the relevant patch - extracted from the
> opensuse src.rpm.

this will most likely not be needed for some time, since a pre-requisite
is having microcode and kernels supporting IBRS and IBPB.

the microcode update is still on-going (e.g., some vendors like Lenovo,
Suse and RH have started releasing updates, but Intel still does not
have a public package yet and Debian's partial update is only in
unstable so far, likely taking at least a week to hit Stretch, and needs
non-free enabled).

the kernel changes have been submitted by Intel as a first draft for
discussion upstream.

the current plan is to release updated kernel packages ASAP based on 4.4
and 4.13 with
- final, tested KPTI patches (not yet available for 4.4 and 4.13!) to
  fix MELTDOWN for the host kernel
- backport / cherry-pick of KVM commit to prevent KVM guest->host
  SPECTRE exploit

it is very likely that the the following changes will have to wait for
later follow-up updates:
- (more) final version of kernel IBRS/IBPB patches
- a variant of the Qemu patch to allow passing on IBRS/IBPB to guests
- more SPECTRE fixes
- regression fixes (based on the current feedback to KPTI in various
  stable kernel series, some level of breakage is to be expected)




More information about the pve-devel mailing list