[pve-devel] [PATCH pve-qemu/qemu-server 0/2] intel MDS CVE fixes

Oguz Bektas o.bektas at proxmox.com
Wed Jun 5 12:47:57 CEST 2019 

hi

On Mon, Jun 03, 2019 at 05:12:48PM +0200, Thomas Lamprecht wrote:
> On 6/3/19 3:17 PM, Oguz Bektas wrote:
> > qemu-server:
> > 
> > Oguz Bektas (1):
> >   add md-clear cpu flag
> > 
> >  PVE/QemuServer.pm | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > pve-qemu:
> > 
> > Oguz Bektas (1):
> >   add fixes for intel MDS CVEs
> > 
> >  ...port-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch | 146 +++++++
> >  ...UID-bit-and-feature-words-for-IA32_ARCH_C.patch |  54 +++
> >  ...w-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch |  36 ++
> >  ...ructure-changes-to-support-MSR-based-feat.patch | 485 +++++++++++++++++++++
> >  ...a-new-MSR-based-feature-word-FEATURE_WORD.patch | 113 +++++
> >  .../0008-target-i386-add-MDS-NO-feature.patch      |  36 ++
> >  .../0009-target-i386-define-md-clear-bit.patch     |  32 ++
> >  debian/patches/series                              |   7 +
> >  8 files changed, 909 insertions(+)
> >  create mode 100644 debian/patches/extra/0003-kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
> >  create mode 100644 debian/patches/extra/0004-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
> >  create mode 100644 debian/patches/extra/0005-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
> >  create mode 100644 debian/patches/extra/0006-x86-Data-structure-changes-to-support-MSR-based-feat.patch
> >  create mode 100644 debian/patches/extra/0007-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
> >  create mode 100644 debian/patches/extra/0008-target-i386-add-MDS-NO-feature.patch
> >  create mode 100644 debian/patches/extra/0009-target-i386-define-md-clear-bit.patch
> > 
> > 
> 
> looks OK, in general, did you also test live migration? I.e., from node with
> current qemu/qemu-server installed to a node with your patches applied?
i didn't test live migration, i'll try it out and update today.
> vice versa would be interesting too but not too important (we must guarantee
> old -> new migration compatibility, and while we try to not actively break new
> ->  old, sometimes this just cannot be avoided (same policy as QEMU upstream
> has)).
agreed. i'm on it.

More information about the pve-devel mailing list