[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-364
From: |
Paolo Bonzini |
Subject: |
Re: [PATCH] i386: define the 'flush_l1d' CPUID feature bit (CVE-2018-3646) |
Date: |
Tue, 12 Nov 2019 11:15:54 +0100 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 |
On 12/11/19 10:51, Daniel P. Berrangé wrote:
> On Tue, Nov 12, 2019 at 03:50:43AM +0000, Kyle Copperfield via wrote:
>> New microcode introduces the "Flush L1D Cache" CPUID feature bit.
>> This needs to be exposed to guest OS to allow them to protect against
>> CVE-2018-3646.
>
> My understanding was that this is only required in the L0 hypervisor,
> not the guests or nested hypervisors, which is why QEMU hadn't already
> exposed this feature when L1TF first went public.
>
> Copying Paolo for a definitive answer on that though....
Correct; in fact in addition to this patch you would have to patch KVM
to allow guest writes to MSR_IA32_FLUSH_CMD.
Paolo
>
>>
>> Signed-off-by: Kyle Copperfield <address@hidden>
>> ---
>> docs/qemu-cpu-models.texi | 7 +++++++
>> target/i386/cpu.c | 2 +-
>> 2 files changed, 8 insertions(+), 1 deletion(-)
>>
>> diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi
>> index f88a1def0d..1b5349d86a 100644
>> --- a/docs/qemu-cpu-models.texi
>> +++ b/docs/qemu-cpu-models.texi
>> @@ -180,6 +180,13 @@ Must be explicitly turned on for all Intel CPU models.
>> Requires the host CPU microcode to support this feature before it
>> can be used for guest CPUs.
>>
>> +@item @code{flush_l1d}
>> +
>> +Required to enable strong Foreshadow-NG (VMM) (CVE-2018-3646) fixes in
>> +guests.
>> +
>> +Requires the host CPU microcode to support this feature before it
>> +can be used for guest CPUs.
>>
>> @item @code{ssbd}
>>
>> diff --git a/target/i386/cpu.c b/target/i386/cpu.c
>> index a624163ac2..1fb6d677e2 100644
>> --- a/target/i386/cpu.c
>> +++ b/target/i386/cpu.c
>> @@ -1083,7 +1083,7 @@ static FeatureWordInfo
>> feature_word_info[FEATURE_WORDS] = {
>> NULL, NULL, NULL /* pconfig */, NULL,
>> NULL, NULL, NULL, NULL,
>> NULL, NULL, "spec-ctrl", "stibp",
>> - NULL, "arch-capabilities", "core-capability", "ssbd",
>> + "flush_l1d", "arch-capabilities", "core-capability", "ssbd",
>> },
>> .cpuid = {
>> .eax = 7,
>> --
>> 2.24.0
>>
>>
>
> Regards,
> Daniel
>