diff -Nru libvirt-1.2.2/debian/changelog libvirt-1.2.2/debian/changelog
--- libvirt-1.2.2/debian/changelog	2017-09-07 12:22:45.000000000 +0000
+++ libvirt-1.2.2/debian/changelog	2018-02-01 20:00:51.000000000 +0000
@@ -1,3 +1,13 @@
+libvirt (1.2.2-0ubuntu13.1.25) trusty-security; urgency=medium
+
+  * SECURITY UPDATE: Add support for Spectre mitigations
+    - debian/patches/CVE-2017-5715-ibrs*.patch: add CPU features for
+      indirect branch prediction protection and add new *-IBRS CPU models.
+    - debian/control: add Breaks to get updated qemu with new CPU models.
+    - CVE-2017-5715
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 01 Feb 2018 15:00:47 -0500
+
 libvirt (1.2.2-0ubuntu13.1.23) trusty; urgency=medium
 
   * d/libvirt-bin.init, d/libvirt-bin.upstart: fix waiting for the libvirt
diff -Nru libvirt-1.2.2/debian/control libvirt-1.2.2/debian/control
--- libvirt-1.2.2/debian/control	2017-09-06 07:56:41.000000000 +0000
+++ libvirt-1.2.2/debian/control	2018-01-31 14:43:29.000000000 +0000
@@ -76,7 +76,11 @@
  parted,
  pm-utils
 Suggests: policykit-1 (>= 0.105-3ubuntu3), apparmor, qemu-kvm | qemu (>= 0.9.1), radvd
-Breaks: xen-utils-4.1, xen-utils-4.3
+Breaks:
+ xen-utils-4.1,
+ xen-utils-4.3,
+ qemu-kvm (<< 2.0.0+dfsg-2ubuntu1.38~),
+ qemu (<< 2.0.0+dfsg-2ubuntu1.38~)
 Conflicts: apparmor (<< 2.8.95~2430-0ubuntu4)
 Description: programs for the libvirt library
  Libvirt is a C toolkit to interact with the virtualization capabilities
diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch
--- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-1.patch	2018-01-25 19:09:43.000000000 +0000
@@ -0,0 +1,43 @@
+Backport of:
+
+From 8b605530e80a13b44d8a05f5718a3edab18d3ff5 Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 12 Dec 2017 16:23:42 +0100
+Subject: [PATCH] cpu: add CPU features for indirect branch prediction
+ protection
+
+Added in QEMU commits TBD and TBD.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+Index: libvirt-1.2.2/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml	2018-01-25 14:09:41.062210162 -0500
++++ libvirt-1.2.2/src/cpu/cpu_map.xml	2018-01-25 14:09:41.058210156 -0500
+@@ -287,6 +287,9 @@
+     <feature name='perfctr_nb'>
+       <cpuid function='0x80000001' ecx='0x01000000'/>
+     </feature>
++    <feature name='spec-ctrl'>
++      <cpuid function='0x07' edx='0x04000000'/>
++    </feature>
+ 
+     <!-- cpuid function 0x7 ecx 0x0 features -->
+     <!-- We support only ecx 0x0 now as it's done by a workaround -->
+@@ -327,6 +330,11 @@
+       <cpuid function='0x00000007' ebx='0x00100000'/>
+     </feature>
+ 
++    <!-- More AMD-specific features -->
++    <feature name='ibpb'>
++      <cpuid function='0x80000008' ebx='0x00001000'/>
++    </feature>
++
+     <!-- models -->
+     <model name='486'>
+       <feature name='fpu'/>
diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch
--- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-2.patch	2018-01-25 19:12:25.000000000 +0000
@@ -0,0 +1,43 @@
+Backport of:
+
+From 6b7e7d1cc24a28a9f5ece8626f807189647d14b4 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: [PATCH] cpu: Add Nehalem-IBRS CPU model
+
+This is a variant of Nehalem with indirect branch prediction protection.
+The only difference between Nehalem and Nehalem-IBRS is the added
+"spec-ctrl" feature.
+
+Thus the diff matches QEMU, but the new CPU model itself is different.
+The QEMU's versions of both models contain "vme" feature, while this
+feature is missing in libvirt's models. While we can't change the
+existing Nehalem CPU model, we could add "vme" to Nehalem-IBRS to make
+it similar to QEMU, but doing so would fool our CPU detecting code so
+that any Nehalem CPU with "vme" feature would be detected as
+Nehalem-IBRS CPU without spec-ctrl. Not adding "vme" to Nehalem-IBRS is
+safe as QEMU will just provide the feature anyway, which matches what
+happens with Nehalem (and new enough machine types).
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+Index: libvirt-1.2.2/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml	2018-01-25 14:11:48.602367288 -0500
++++ libvirt-1.2.2/src/cpu/cpu_map.xml	2018-01-25 14:12:14.966399008 -0500
+@@ -488,6 +488,11 @@
+       <feature name='popcnt'/>
+     </model>
+ 
++    <model name='Nehalem-IBRS'>
++      <model name='Nehalem'/>
++      <feature name='spec-ctrl'/>
++    </model>
++
+     <model name='Westmere'>
+       <model name='Nehalem'/>
+       <feature name='aes'/>
diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch
--- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-3.patch	2018-01-25 19:12:51.000000000 +0000
@@ -0,0 +1,40 @@
+Backport of:
+
+From 2e3b220a874e558e54678afd7cf49466fe605e09 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: [PATCH] cpu: Add Westmere-IBRS CPU model
+
+This is a variant of Westmere with indirect branch prediction
+protection. The only difference between Westmere and Westmere-IBRS is
+the added "spec-ctrl" feature.
+
+The Westmere-IBRS model in QEMU is a bit different since Westmere got
+several additional features since we added it in cpu_map.xml:
+    arat, pclmuldq, vme
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+Index: libvirt-1.2.2/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml	2018-01-25 14:12:26.630412968 -0500
++++ libvirt-1.2.2/src/cpu/cpu_map.xml	2018-01-25 14:12:46.738436930 -0500
+@@ -498,6 +498,11 @@
+       <feature name='aes'/>
+     </model>
+ 
++    <model name='Westmere-IBRS'>
++      <model name='Westmere'/>
++      <feature name='spec-ctrl'/>
++    </model>
++
+     <model name='SandyBridge'>
+       <model name='Westmere'/>
+       <feature name='pclmuldq'/>
diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch
--- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-4.patch	2018-01-25 19:13:07.000000000 +0000
@@ -0,0 +1,40 @@
+Backport of:
+
+From 30b381cfdd5e92e5afa6de09f0fe533353e71d07 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: [PATCH] cpu: Add SandyBridge-IBRS CPU model
+
+This is a variant of SandyBridge with indirect branch prediction
+protection. The only difference between SandyBridge and SandyBridge-IBRS
+is the added "spec-ctrl" feature.
+
+The SandyBridge-IBRS model in QEMU is a bit different since SandyBridge
+got several additional features since we added it in cpu_map.xml:
+    arat, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+Index: libvirt-1.2.2/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml	2018-01-25 14:12:52.758444079 -0500
++++ libvirt-1.2.2/src/cpu/cpu_map.xml	2018-01-25 14:12:52.754444074 -0500
+@@ -513,6 +513,11 @@
+       <feature name='rdtscp'/>
+     </model>
+ 
++    <model name='SandyBridge-IBRS'>
++      <model name='SandyBridge'/>
++      <feature name='spec-ctrl'/>
++    </model>
++
+     <model name='Haswell'>
+       <model name='SandyBridge'/>
+       <feature name='fma'/>
diff -Nru libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch
--- libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch	1970-01-01 00:00:00.000000000 +0000
+++ libvirt-1.2.2/debian/patches/CVE-2017-5715-ibrs-7.patch	2018-01-25 19:15:52.000000000 +0000
@@ -0,0 +1,40 @@
+Backport of:
+
+From 7f83eefa9e6940c83579d31941efd07fab1b90c8 Mon Sep 17 00:00:00 2001
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: [PATCH] cpu: Add Haswell-IBRS CPU model
+
+This is a variant of Haswell with indirect branch prediction protection.
+The only difference between Haswell and Haswell-IBRS is the added
+"spec-ctrl" feature.
+
+The Haswell-IBRS model in QEMU is a bit different since Haswell got
+several additional features since we added it in cpu_map.xml:
+    arat, abm, f16c, rdrand, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+Index: libvirt-1.2.2/src/cpu/cpu_map.xml
+===================================================================
+--- libvirt-1.2.2.orig/src/cpu/cpu_map.xml	2018-01-25 14:15:10.610604971 -0500
++++ libvirt-1.2.2/src/cpu/cpu_map.xml	2018-01-25 14:15:43.086642177 -0500
+@@ -534,6 +534,11 @@
+       <feature name='rtm'/>
+     </model>
+ 
++    <model name='Haswell-IBRS'>
++      <model name='Haswell'/>
++      <feature name='spec-ctrl'/>
++    </model>
++
+     <!-- AMD CPUs -->
+     <model name='athlon'>
+       <model name='pentiumpro'/>
diff -Nru libvirt-1.2.2/debian/patches/series libvirt-1.2.2/debian/patches/series
--- libvirt-1.2.2/debian/patches/series	2017-09-07 06:21:11.000000000 +0000
+++ libvirt-1.2.2/debian/patches/series	2018-01-25 19:15:04.000000000 +0000
@@ -52,3 +52,8 @@
 fix-util-don-t-fail-if-no-portdata-is-found.patch
 reject-blockcommit-of-active-layer.patch
 virt-aa-helper-add-trusty-guest-agent-rule.patch
+CVE-2017-5715-ibrs-1.patch
+CVE-2017-5715-ibrs-2.patch
+CVE-2017-5715-ibrs-3.patch
+CVE-2017-5715-ibrs-4.patch
+CVE-2017-5715-ibrs-7.patch