Package: release.debian.org Severity: normal Tags: stretch User: release.debian....@packages.debian.org Usertags: pu
Hi this updates libvirt's cpu map to make addressing CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 easier for our users by supporting the md-clear, ssbd, spec-ctrl and ibpb CPU features when picking CPU models without having to fall back to host-passthrough. See https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/ for details on how this works in libvirt. Cheers, -- Guido -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386, armhf Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index 198e75dcfe..04b7242746 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +libvirt (3.0.0-4+deb9u4) stretch; urgency=medium + + * cpu_map: Define md-clear CPUID bit. + CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + * Add spec-ctrl and ibpb CPU features and ibrs CPU models. + CVE-2017-5753, CVE-2017-5715 + * Add ssbd CPU feature. + CVE-2018-3639 + + -- Guido Günther <a...@sigxcpu.org> Wed, 12 Jun 2019 10:13:38 +0200 + libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high * gbp: switch branch to stretch diff --git a/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch new file mode 100644 index 0000000000..048477b45f --- /dev/null +++ b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch @@ -0,0 +1,59 @@ +From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berra...@redhat.com> +Date: Thu, 14 Jun 2018 11:12:59 +0100 +Subject: cpu: add 'amd-ssbd' and 'amd-no-ssb' CPU features (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +AMD x86 CPUs have two separate ways to mitigate the Speculative Store +Bypass hardware flaw. In current processors only non-architectural MSRs +are available, and so hypervisors must expose a virtualized MSR and CPU +flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1). + +In future processors AMD will provide an architectural MSR, indicated by +existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has +given the name "amd-ssbd". + +The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it +is available, since it provides improved performance. For virtual +machine configuration, both should be exposed when available, to allow +for maximal guest OS compatibility as not all guests yet support both. + +If future processes are not vulnerable to the flaw, this will be +indicated by the existance of CPUID Function 8000_0008, EBX[26]=1, +to which QEMU has given the name "amd-no-ssb". + +See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf +from: + + https://bugzilla.kernel.org/show_bug.cgi?id=199889 + +Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel +in /proc/cpuinfo. It knows about these CPUID bits and does the right thing, +but doesn't report their existance as distinct flags in /proc/cpuinfo. + +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +--- + src/cpu/cpu_map.xml | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 61542cf..2f109e4 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -424,9 +424,15 @@ + <feature name='ibpb'> + <cpuid eax_in='0x80000008' ebx='0x00001000'/> + </feature> ++ <feature name='amd-ssbd'> ++ <cpuid eax_in='0x80000008' ebx='0x01000000'/> ++ </feature> + <feature name='virt-ssbd'> + <cpuid eax_in='0x80000008' ebx='0x02000000'/> + </feature> ++ <feature name='amd-no-ssb'> ++ <cpuid eax_in='0x80000008' ebx='0x04000000'/> ++ </feature> + + <!-- models --> + <model name='486'> diff --git a/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch new file mode 100644 index 0000000000..f57eed9cfb --- /dev/null +++ b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch @@ -0,0 +1,31 @@ +From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berra...@redhat.com> +Date: Mon, 21 May 2018 23:05:07 +0100 +Subject: cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +New microcode introduces the "Speculative Store Bypass Disable" +CPUID feature bit. This needs to be exposed to guest OS to allow +them to protect against CVE-2018-3639. + +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Jiri Denemark <jdene...@redhat.com> +--- + src/cpu/cpu_map.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index ec13299..a1a5da1 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -289,6 +289,9 @@ + <feature name='spec-ctrl'> + <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/> + </feature> ++ <feature name='ssbd'> ++ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/> ++ </feature> + + <!-- Processor Extended State Enumeration sub leaf 1 --> + <feature name='xsaveopt'> diff --git a/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch new file mode 100644 index 0000000000..bdb4b4f8a7 --- /dev/null +++ b/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch @@ -0,0 +1,41 @@ +From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berra...@redhat.com> +Date: Mon, 21 May 2018 23:05:08 +0100 +Subject: cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639) +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 8bit + +Some AMD processors only support a non-architectural means of +enabling Speculative Store Bypass Disable. To allow simplified +handling in virtual environments, hypervisors will expose an +architectural definition through CPUID bit 0x80000008_EBX[25]. +This needs to be exposed to guest OS running on AMD x86 hosts to +allow them to protect against CVE-2018-3639. + +Note that since this CPUID bit won't be present in the host CPUID +results on physical hosts, it will not be enabled automatically +in guests configured with "host-model" CPU unless using QEMU +version >= 2.9.0. Thus for older versions of QEMU, this feature +must be manually enabled using policy=force. Guests using the +"host-passthrough" CPU mode do not need special handling. + +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> +Reviewed-by: Jiri Denemark <jdene...@redhat.com> +--- + src/cpu/cpu_map.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index a1a5da1..61542cf 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -424,6 +424,9 @@ + <feature name='ibpb'> + <cpuid eax_in='0x80000008' ebx='0x00001000'/> + </feature> ++ <feature name='virt-ssbd'> ++ <cpuid eax_in='0x80000008' ebx='0x02000000'/> ++ </feature> + + <!-- models --> + <model name='486'> diff --git a/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch index 85fd5b88f4..ff99099706 100644 --- a/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch +++ b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch @@ -229,7 +229,7 @@ index faddd50..46aae4f 100644 <kvmVersion>0</kvmVersion> <package></package> diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml -index af21017..4c45b38 100644 +index af21017b..4c45b38 100644 --- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml +++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml @@ -127,6 +127,7 @@ diff --git a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch index f7277a7664..c4a026a206 100644 --- a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch +++ b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch @@ -4,18 +4,19 @@ Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest agent MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: base64 +Content-Transfer-Encoding: 8bit -V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh -dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt -c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh -dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl -IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu -b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg -ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0 -OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50 -IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n -w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg== +We read from the agent until seeing a \r\n pair to indicate a completed +reply or event. To avoid memory denial-of-service though, we must have a +size limit on amount of data we buffer. 10 MB is large enough that it +ought to cope with normal agent replies, and small enough that we're not +consuming unreasonable mem. + +This is identical to the flaw we had reading from the QEMU monitor +as CVE-2018-5748, so rather embarrassing that we forgot to fix +the agent code at the same time. + +Signed-off-by: Daniel P. Berrangé <berra...@redhat.com> --- src/qemu/qemu_agent.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch new file mode 100644 index 0000000000..946c908e05 --- /dev/null +++ b/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch @@ -0,0 +1,92 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Tue, 9 Jan 2018 21:36:28 +0100 +Subject: cpu: Add Broadwell-IBRS CPU model + +This is a variant of Broadwell with indirect branch prediction +protection. The only difference between Broadwell and Broadwell-IBRS is +the added "spec-ctrl" feature. + +The Broadwell-IBRS model in QEMU is a bit different since Broadwell got +several additional features since we added it in cpu_map.xml: + abm, arat, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 60 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 19d7944..28c1a1f 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1559,6 +1559,66 @@ + <feature name='xsave'/> + </model> + ++ <model name='Broadwell-IBRS'> ++ <signature family='6' model='61'/> ++ <vendor name='Intel'/> ++ <feature name='3dnowprefetch'/> ++ <feature name='adx'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='avx2'/> ++ <feature name='bmi1'/> ++ <feature name='bmi2'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='fma'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='hle'/> ++ <feature name='invpcid'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='movbe'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pcid'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdseed'/> ++ <feature name='rdtscp'/> ++ <feature name='rtm'/> ++ <feature name='sep'/> ++ <feature name='smap'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='Skylake-Client'> + <signature family='6' model='94'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch new file mode 100644 index 0000000000..c12422f0a7 --- /dev/null +++ b/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch @@ -0,0 +1,91 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add Broadwell-noTSX-IBRS CPU model + +This is a variant of Broadwell-noTSX with indirect branch prediction +protection. The only difference between Broadwell-noTSX and +Broadwell-noTSX-IBRS is the added "spec-ctrl" feature. + +The Broadwell-noTSX-IBRS model in QEMU is a bit different since +Broadwell-noTSX got several additional features since we added it in +cpu_map.xml: + abm, arat, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 58 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 21b89e9..19d7944 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1442,6 +1442,64 @@ + <feature name='xsave'/> + </model> + ++ <model name='Broadwell-noTSX-IBRS'> ++ <signature family='6' model='61'/> ++ <vendor name='Intel'/> ++ <feature name='3dnowprefetch'/> ++ <feature name='adx'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='avx2'/> ++ <feature name='bmi1'/> ++ <feature name='bmi2'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='fma'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='invpcid'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='movbe'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pcid'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdseed'/> ++ <feature name='rdtscp'/> ++ <feature name='sep'/> ++ <feature name='smap'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='Broadwell'> + <signature family='6' model='61'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch new file mode 100644 index 0000000000..17789f86c2 --- /dev/null +++ b/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch @@ -0,0 +1,88 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add Haswell-IBRS CPU model + +This is a variant of Haswell with indirect branch prediction protection. +The only difference between Haswell and Haswell-IBRS is the added +"spec-ctrl" feature. + +The Haswell-IBRS model in QEMU is a bit different since Haswell got +several additional features since we added it in cpu_map.xml: + arat, abm, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index ccfab9a..21b89e9 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1329,6 +1329,62 @@ + <feature name='xsave'/> + </model> + ++ <model name='Haswell-IBRS'> ++ <signature family='6' model='60'/> ++ <vendor name='Intel'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='avx2'/> ++ <feature name='bmi1'/> ++ <feature name='bmi2'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='fma'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='hle'/> ++ <feature name='invpcid'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='movbe'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pcid'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdtscp'/> ++ <feature name='rtm'/> ++ <feature name='sep'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='Broadwell-noTSX'> + <signature family='6' model='61'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch new file mode 100644 index 0000000000..518ce709cd --- /dev/null +++ b/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch @@ -0,0 +1,87 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Tue, 9 Jan 2018 20:40:03 +0100 +Subject: cpu: Add Haswell-noTSX-IBRS CPU model + +This is a variant of Haswell-noTSX with indirect branch prediction +protection. The only difference between Haswell-noTSX and +Haswell-noTSX-IBRS is the added "spec-ctrl" feature. + +The Haswell-noTSX-IBRS model in QEMU is a bit different since +Haswell-noTSX got several additional features since we added it in +cpu_map.xml: + arat, abm, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 12485f2..ccfab9a 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1220,6 +1220,60 @@ + <feature name='xsave'/> + </model> + ++ <model name='Haswell-noTSX-IBRS'> ++ <signature family='6' model='60'/> ++ <vendor name='Intel'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='avx2'/> ++ <feature name='bmi1'/> ++ <feature name='bmi2'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='fma'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='invpcid'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='movbe'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pcid'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdtscp'/> ++ <feature name='sep'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='Haswell'> + <signature family='6' model='60'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch new file mode 100644 index 0000000000..5022f420d6 --- /dev/null +++ b/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch @@ -0,0 +1,82 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add IvyBridge-IBRS CPU model + +This is a variant of IvyBridge with indirect branch prediction +protection. The only difference between IvyBridge and IvyBridge-IBRS is +the added "spec-ctrl" feature. + +The IvyBridge-IBRS model in QEMU is a bit different since IvyBridge got +several additional features since we added it in cpu_map.xml: + arat, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 4c96193..12485f2 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1117,6 +1117,56 @@ + <feature name='xsave'/> + </model> + ++ <model name='IvyBridge-IBRS'> ++ <signature family='6' model='58'/> ++ <vendor name='Intel'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='f16c'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdrand'/> ++ <feature name='rdtscp'/> ++ <feature name='sep'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='vme'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='Haswell-noTSX'> + <signature family='6' model='60'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch new file mode 100644 index 0000000000..558b8fcddf --- /dev/null +++ b/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch @@ -0,0 +1,72 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add Nehalem-IBRS CPU model + +This is a variant of Nehalem with indirect branch prediction protection. +The only difference between Nehalem and Nehalem-IBRS is the added +"spec-ctrl" feature. + +Thus the diff matches QEMU, but the new CPU model itself is different. +The QEMU's versions of both models contain "vme" feature, while this +feature is missing in libvirt's models. While we can't change the +existing Nehalem CPU model, we could add "vme" to Nehalem-IBRS to make +it similar to QEMU, but doing so would fool our CPU detecting code so +that any Nehalem CPU with "vme" feature would be detected as +Nehalem-IBRS CPU without spec-ctrl. Not adding "vme" to Nehalem-IBRS is +safe as QEMU will just provide the feature anyway, which matches what +happens with Nehalem (and new enough machine types). + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 4c68023..ee3dc06 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -869,6 +869,43 @@ + <feature name='tsc'/> + </model> + ++ <model name='Nehalem-IBRS'> ++ <signature family='6' model='26'/> ++ <vendor name='Intel'/> ++ <feature name='apic'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='fpu'/> ++ <feature name='fxsr'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='sep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ </model> ++ + <model name='Westmere'> + <signature family='6' model='44'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch new file mode 100644 index 0000000000..26cc566f54 --- /dev/null +++ b/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch @@ -0,0 +1,76 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add SandyBridge-IBRS CPU model + +This is a variant of SandyBridge with indirect branch prediction +protection. The only difference between SandyBridge and SandyBridge-IBRS +is the added "spec-ctrl" feature. + +The SandyBridge-IBRS model in QEMU is a bit different since SandyBridge +got several additional features since we added it in cpu_map.xml: + arat, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index c6f96a7..4c96193 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1024,6 +1024,50 @@ + <feature name='xsave'/> + </model> + ++ <model name='SandyBridge-IBRS'> ++ <signature family='6' model='42'/> ++ <vendor name='Intel'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='avx'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='fpu'/> ++ <feature name='fxsr'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdtscp'/> ++ <feature name='sep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='x2apic'/> ++ <feature name='xsave'/> ++ </model> ++ + <model name='IvyBridge'> + <signature family='6' model='58'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch new file mode 100644 index 0000000000..7f5da76a35 --- /dev/null +++ b/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch @@ -0,0 +1,94 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Tue, 9 Jan 2018 21:41:31 +0100 +Subject: cpu: Add Skylake-Client-IBRS CPU model + +This is a variant of Skylake-Client with indirect branch prediction +protection. The only difference between Skylake-Client and +Skylake-Client-IBRS is the added "spec-ctrl" feature. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 69 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 28c1a1f..ec13299 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1687,6 +1687,75 @@ + <feature name='xsaveopt'/> + </model> + ++ <model name='Skylake-Client-IBRS'> ++ <signature family='6' model='94'/> ++ <vendor name='Intel'/> ++ <feature name='3dnowprefetch'/> ++ <feature name='abm'/> ++ <feature name='adx'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='arat'/> ++ <feature name='avx'/> ++ <feature name='avx2'/> ++ <feature name='bmi1'/> ++ <feature name='bmi2'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='erms'/> ++ <feature name='f16c'/> ++ <feature name='fma'/> ++ <feature name='fpu'/> ++ <feature name='fsgsbase'/> ++ <feature name='fxsr'/> ++ <feature name='hle'/> ++ <feature name='invpcid'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='movbe'/> ++ <feature name='mpx'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pcid'/> ++ <feature name='pclmuldq'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='rdrand'/> ++ <feature name='rdseed'/> ++ <feature name='rdtscp'/> ++ <feature name='rtm'/> ++ <feature name='sep'/> ++ <feature name='smap'/> ++ <feature name='smep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ <feature name='tsc-deadline'/> ++ <feature name='vme'/> ++ <feature name='x2apic'/> ++ <feature name='xgetbv1'/> ++ <feature name='xsave'/> ++ <feature name='xsavec'/> ++ <feature name='xsaveopt'/> ++ </model> ++ + <!-- AMD CPUs --> + <model name='athlon'> + <vendor name='AMD'/> diff --git a/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch new file mode 100644 index 0000000000..83a342ab31 --- /dev/null +++ b/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch @@ -0,0 +1,70 @@ +From: Jiri Denemark <jdene...@redhat.com> +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: cpu: Add Westmere-IBRS CPU model + +This is a variant of Westmere with indirect branch prediction +protection. The only difference between Westmere and Westmere-IBRS is +the added "spec-ctrl" feature. + +The Westmere-IBRS model in QEMU is a bit different since Westmere got +several additional features since we added it in cpu_map.xml: + arat, pclmuldq, vme + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index ee3dc06..c6f96a7 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -943,6 +943,44 @@ + <feature name='tsc'/> + </model> + ++ <model name='Westmere-IBRS'> ++ <signature family='6' model='44'/> ++ <vendor name='Intel'/> ++ <feature name='aes'/> ++ <feature name='apic'/> ++ <feature name='clflush'/> ++ <feature name='cmov'/> ++ <feature name='cx16'/> ++ <feature name='cx8'/> ++ <feature name='de'/> ++ <feature name='fpu'/> ++ <feature name='fxsr'/> ++ <feature name='lahf_lm'/> ++ <feature name='lm'/> ++ <feature name='mca'/> ++ <feature name='mce'/> ++ <feature name='mmx'/> ++ <feature name='msr'/> ++ <feature name='mtrr'/> ++ <feature name='nx'/> ++ <feature name='pae'/> ++ <feature name='pat'/> ++ <feature name='pge'/> ++ <feature name='pni'/> ++ <feature name='popcnt'/> ++ <feature name='pse'/> ++ <feature name='pse36'/> ++ <feature name='sep'/> ++ <feature name='spec-ctrl'/> ++ <feature name='sse'/> ++ <feature name='sse2'/> ++ <feature name='sse4.1'/> ++ <feature name='sse4.2'/> ++ <feature name='ssse3'/> ++ <feature name='syscall'/> ++ <feature name='tsc'/> ++ </model> ++ + <model name='SandyBridge'> + <signature family='6' model='42'/> + <vendor name='Intel'/> diff --git a/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch b/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch new file mode 100644 index 0000000000..7b268da568 --- /dev/null +++ b/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch @@ -0,0 +1,39 @@ +From: Paolo Bonzini <pbonz...@redhat.com> +Date: Tue, 12 Dec 2017 16:23:42 +0100 +Subject: cpu: add CPU features for indirect branch prediction protection + +Added in QEMU commits TBD and TBD. + +Signed-off-by: Paolo Bonzini <pbonz...@redhat.com> +Signed-off-by: Jiri Denemark <jdene...@redhat.com> +Reviewed-by: Pavel Hrdina <phrd...@redhat.com> +--- + src/cpu/cpu_map.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 1269eb0..4c68023 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -286,6 +286,9 @@ + <feature name='md-clear'> <!-- md_clear --> + <cpuid eax_in='0x07' edx='0x00000400'/> + </feature> ++ <feature name='spec-ctrl'> ++ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/> ++ </feature> + + <!-- Processor Extended State Enumeration sub leaf 1 --> + <feature name='xsaveopt'> +@@ -414,6 +417,11 @@ + <cpuid eax_in='0x80000007' edx='0x00000100'/> + </feature> + ++ <!-- More AMD-specific features --> ++ <feature name='ibpb'> ++ <cpuid eax_in='0x80000008' ebx='0x00001000'/> ++ </feature> ++ + <!-- models --> + <model name='486'> + <feature name='fpu'/> diff --git a/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch b/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch new file mode 100644 index 0000000000..2f1ebd75aa --- /dev/null +++ b/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch @@ -0,0 +1,28 @@ +From: =?utf-8?q?Guido_G=C3=BCnther?= <a...@sigxcpu.org> +Date: Sun, 9 Jun 2019 13:10:51 +0200 +Subject: cpu_map: Define md-clear CPUID bit + +CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 + +The bit is set when microcode provides the mechanism to invoke a flush +of various exploitable CPU buffers by invoking the VERW instruction. + +This is a backport of upstream commit 538d873571d7a682852dc1d70e5f4478f4d64e85 +--- + src/cpu/cpu_map.xml | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml +index 7d5540a..1269eb0 100644 +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -283,6 +283,9 @@ + <feature name='avx512-4fmaps'> + <cpuid eax_in='0x07' edx='0x00000008'/> + </feature> ++ <feature name='md-clear'> <!-- md_clear --> ++ <cpuid eax_in='0x07' edx='0x00000400'/> ++ </feature> + + <!-- Processor Extended State Enumeration sub leaf 1 --> + <feature name='xsaveopt'> diff --git a/debian/patches/series b/debian/patches/series index 75c51eca9b..7ee68c860c 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -27,3 +27,17 @@ qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch +security/cpu_map-Define-md-clear-CPUID-bit.patch +security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch +security/cpu-Add-Nehalem-IBRS-CPU-model.patch +security/cpu-Add-Westmere-IBRS-CPU-model.patch +security/cpu-Add-SandyBridge-IBRS-CPU-model.patch +security/cpu-Add-IvyBridge-IBRS-CPU-model.patch +security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch +security/cpu-Add-Haswell-IBRS-CPU-model.patch +security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch +security/cpu-Add-Broadwell-IBRS-CPU-model.patch +security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch +cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch +cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch +cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch