[pve-devel] applied: [PATCH v2 qemu/qemu-server] fix for intel MDS CVEs

Thomas Lamprecht t.lamprecht at proxmox.com
Thu Jun 6 17:44:59 CEST 2019 

On 6/6/19 3:11 PM, Oguz Bektas wrote:
> cherry-picks mds mitigation related commits from upstream qemu, some
> commits are taken to ensure easy backport.
> 
> fixes included for:
> * CVE-2018-12126
> * CVE-2018-12127
> * CVE-2018-12130
> * CVE-2019-11091
> 
> adds the md-clear cpuflag.
> 
> Not included by default in any Intel CPU model.
> 
> Must be explicitly turned on for all Intel CPU models.
> 
> Requires the host CPU microcode to support this feature before it
> can be used for guest CPUs.
> 
> Signed-off-by: Oguz Bektas <o.bektas at proxmox.com>
> ---
>  ...port-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch | 148 +++++
>  ...UID-bit-and-feature-words-for-IA32_ARCH_C.patch |  56 ++
>  ...w-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch |  38 ++
>  ...ructure-changes-to-support-MSR-based-feat.patch | 489 +++++++++++++++++
>  ...a-new-MSR-based-feature-word-FEATURE_WORD.patch | 116 ++++
>  .../0008-target-i386-add-MDS-NO-feature.patch      |  38 ++
>  .../0009-target-i386-define-md-clear-bit.patch     |  34 ++
>  ...uidance-on-configuring-CPU-models-for-x86.patch | 605 +++++++++++++++++++++
>  ...end-use-of-md-clear-feature-on-all-Intel-.patch |  48 ++
>  debian/patches/series                              |   9 +
>  10 files changed, 1581 insertions(+)
>  create mode 100644 debian/patches/extra/0003-kvm-Add-support-to-KVM_GET_MSR_FEATURE_INDEX_LIST-an.patch
>  create mode 100644 debian/patches/extra/0004-i386-Add-CPUID-bit-and-feature-words-for-IA32_ARCH_C.patch
>  create mode 100644 debian/patches/extra/0005-i386-Add-new-MSR-indices-for-IA32_PRED_CMD-and-IA32_.patch
>  create mode 100644 debian/patches/extra/0006-x86-Data-structure-changes-to-support-MSR-based-feat.patch
>  create mode 100644 debian/patches/extra/0007-x86-define-a-new-MSR-based-feature-word-FEATURE_WORD.patch
>  create mode 100644 debian/patches/extra/0008-target-i386-add-MDS-NO-feature.patch
>  create mode 100644 debian/patches/extra/0009-target-i386-define-md-clear-bit.patch
>  create mode 100644 debian/patches/extra/0010-docs-add-guidance-on-configuring-CPU-models-for-x86.patch
>  create mode 100644 debian/patches/extra/0011-docs-recommend-use-of-md-clear-feature-on-all-Intel-.patch
> 

applied, but as you already noticed your self: missing changelog :)
Further, the "qemu-server" tag in the mail's subject confused me a
bit.. I then just took the one from your v1.. Thanks!

More information about the pve-devel mailing list