[pve-devel] [PATCH pve-qemu/qemu-server 0/2] intel MDS CVE fixes

[Thomas Lamprecht]

On 6/3/19 3:17 PM, Oguz Bektas wrote:
> qemu-server:
> 
> Oguz Bektas (1):
>   add md-clear cpu flag
> 
>  PVE/QemuServer.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> pve-qemu:
> 
> Oguz Bektas (1):
>   add fixes for intel MDS CVEs
> 
>  ...port-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch | 146 +++++++
>  ...UID-bit-and-feature-words-for-IA32_ARCH_C.patch |  54 +++
>  ...w-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch |  36 ++
>  ...ructure-changes-to-support-MSR-based-feat.patch | 485 +++++++++++++++++++++
>  ...a-new-MSR-based-feature-word-FEATURE_WORD.patch | 113 +++++
>  .../0008-target-i386-add-MDS-NO-feature.patch      |  36 ++
>  .../0009-target-i386-define-md-clear-bit.patch     |  32 ++
>  debian/patches/series                              |   7 +
>  8 files changed, 909 insertions(+)
>  create mode 100644 debian/patches/extra/0003-kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
>  create mode 100644 debian/patches/extra/0004-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
>  create mode 100644 debian/patches/extra/0005-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
>  create mode 100644 debian/patches/extra/0006-x86-Data-structure-changes-to-support-MSR-based-feat.patch
>  create mode 100644 debian/patches/extra/0007-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
>  create mode 100644 debian/patches/extra/0008-target-i386-add-MDS-NO-feature.patch
>  create mode 100644 debian/patches/extra/0009-target-i386-define-md-clear-bit.patch
> 
> 

looks OK, in general, did you also test live migration? I.e., from node with
current qemu/qemu-server installed to a node with your patches applied?
vice versa would be interesting too but not too important (we must guarantee
old -> new migration compatibility, and while we try to not actively break new
->  old, sometimes this just cannot be avoided (same policy as QEMU upstream
has)).