diff -Nru libvirt-2.5.0/debian/changelog libvirt-2.5.0/debian/changelog --- libvirt-2.5.0/debian/changelog 2018-01-23 15:34:45.000000000 +0000 +++ libvirt-2.5.0/debian/changelog 2018-02-09 02:27:05.000000000 +0000 @@ -1,3 +1,13 @@ +libvirt (2.5.0-3ubuntu5.6~cloud2) xenial-ocata; urgency=medium + + * SECURITY UPDATE: Add support for Spectre mitigations + - debian/patches/CVE-2017-5715-ibrs*.patch: add CPU features for + indirect branch prediction protection and add new *-IBRS CPU models. + - debian/control: add Breaks to get updated qemu with new CPU models. + - CVE-2017-5715 + + -- Corey Bryant Thu, 08 Feb 2018 21:27:05 -0500 + libvirt (2.5.0-3ubuntu5.6~cloud1) xenial-ocata; urgency=medium * d/p/ubuntu/0001-gnutls-use-AC_CHECK_FUNCS.patch, diff -Nru libvirt-2.5.0/debian/control libvirt-2.5.0/debian/control --- libvirt-2.5.0/debian/control 2017-11-06 15:26:39.000000000 +0000 +++ libvirt-2.5.0/debian/control 2018-02-09 02:26:48.000000000 +0000 @@ -87,6 +87,9 @@ libvirt-clients (>= ${binary:Version}), Section: oldlibs Priority: extra +Breaks: + qemu-kvm (<< 1:2.8+dfsg-3ubuntu2.9~cloud2), + qemu (<< 1:2.8+dfsg-3ubuntu2.9~cloud2), Description: programs for the libvirt library Libvirt is a C toolkit to interact with the virtualization capabilities of recent versions of Linux (and other OSes). The library aims at providing diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-10.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-10.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-10.patch 2018-02-09 02:20:05.000000000 +0000 @@ -0,0 +1,97 @@ +Backport of: + +From b2042020c32b74069fa5365b5e966537aaba8cf6 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Tue, 9 Jan 2018 21:41:31 +0100 +Subject: [PATCH] cpu: Add Skylake-Client-IBRS CPU model + +This is a variant of Skylake-Client with indirect branch prediction +protection. The only difference between Skylake-Client and +Skylake-Client-IBRS is the added "spec-ctrl" feature. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 69 ++++++++++++++++++++++ + .../x86_64-cpuid-Xeon-E5-2623-v4-guest.xml | 3 +- + .../x86_64-cpuid-Xeon-E5-2623-v4-json.xml | 3 +- + 3 files changed, 71 insertions(+), 4 deletions(-) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1655,6 +1655,75 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-1.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-1.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-1.patch 2018-02-09 02:05:54.000000000 +0000 @@ -0,0 +1,39 @@ +From 8b605530e80a13b44d8a05f5718a3edab18d3ff5 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 12 Dec 2017 16:23:42 +0100 +Subject: [PATCH] cpu: add CPU features for indirect branch prediction + protection + +Added in QEMU commits TBD and TBD. + +Signed-off-by: Paolo Bonzini +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -268,6 +268,9 @@ + + + ++ ++ ++ + + + +@@ -382,6 +385,11 @@ + + + ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-2.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-2.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-2.patch 2018-02-09 02:05:59.000000000 +0000 @@ -0,0 +1,71 @@ +From 6b7e7d1cc24a28a9f5ece8626f807189647d14b4 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Nehalem-IBRS CPU model + +This is a variant of Nehalem with indirect branch prediction protection. +The only difference between Nehalem and Nehalem-IBRS is the added +"spec-ctrl" feature. + +Thus the diff matches QEMU, but the new CPU model itself is different. +The QEMU's versions of both models contain "vme" feature, while this +feature is missing in libvirt's models. While we can't change the +existing Nehalem CPU model, we could add "vme" to Nehalem-IBRS to make +it similar to QEMU, but doing so would fool our CPU detecting code so +that any Nehalem CPU with "vme" feature would be detected as +Nehalem-IBRS CPU without spec-ctrl. Not adding "vme" to Nehalem-IBRS is +safe as QEMU will just provide the feature anyway, which matches what +happens with Nehalem (and new enough machine types). + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 37 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 37 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -837,6 +837,43 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-3.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-3.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-3.patch 2018-02-09 02:06:02.000000000 +0000 @@ -0,0 +1,69 @@ +From 2e3b220a874e558e54678afd7cf49466fe605e09 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Westmere-IBRS CPU model + +This is a variant of Westmere with indirect branch prediction +protection. The only difference between Westmere and Westmere-IBRS is +the added "spec-ctrl" feature. + +The Westmere-IBRS model in QEMU is a bit different since Westmere got +several additional features since we added it in cpu_map.xml: + arat, pclmuldq, vme + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -911,6 +911,44 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-4.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-4.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-4.patch 2018-02-09 02:06:05.000000000 +0000 @@ -0,0 +1,75 @@ +From 30b381cfdd5e92e5afa6de09f0fe533353e71d07 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add SandyBridge-IBRS CPU model + +This is a variant of SandyBridge with indirect branch prediction +protection. The only difference between SandyBridge and SandyBridge-IBRS +is the added "spec-ctrl" feature. + +The SandyBridge-IBRS model in QEMU is a bit different since SandyBridge +got several additional features since we added it in cpu_map.xml: + arat, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 44 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -992,6 +992,50 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-5.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-5.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-5.patch 2018-02-09 02:08:38.000000000 +0000 @@ -0,0 +1,81 @@ +From 203c92e9cc2db854199b39ef3ffcc10406d3c59e Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add IvyBridge-IBRS CPU model + +This is a variant of IvyBridge with indirect branch prediction +protection. The only difference between IvyBridge and IvyBridge-IBRS is +the added "spec-ctrl" feature. + +The IvyBridge-IBRS model in QEMU is a bit different since IvyBridge got +several additional features since we added it in cpu_map.xml: + arat, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 50 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1085,6 +1085,56 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-6.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-6.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-6.patch 2018-02-09 02:10:54.000000000 +0000 @@ -0,0 +1,91 @@ +Backport of: + +From 7dd85ff62d7080b52d4d175f53ad5eb11cdcfb9c Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Tue, 9 Jan 2018 20:40:03 +0100 +Subject: [PATCH] cpu: Add Haswell-noTSX-IBRS CPU model + +This is a variant of Haswell-noTSX with indirect branch prediction +protection. The only difference between Haswell-noTSX and +Haswell-noTSX-IBRS is the added "spec-ctrl" feature. + +The Haswell-noTSX-IBRS model in QEMU is a bit different since +Haswell-noTSX got several additional features since we added it in +cpu_map.xml: + arat, abm, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 54 ++++++++++++++++++++++ + .../x86_64-cpuid-Xeon-E5-2609-v3-guest.xml | 3 +- + .../x86_64-cpuid-Xeon-E5-2609-v3-host.xml | 3 +- + .../x86_64-cpuid-Xeon-E5-2609-v3-json.xml | 3 +- + 4 files changed, 57 insertions(+), 6 deletions(-) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1188,6 +1188,60 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-7.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-7.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-7.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-7.patch 2018-02-09 02:14:19.000000000 +0000 @@ -0,0 +1,87 @@ +From 7f83eefa9e6940c83579d31941efd07fab1b90c8 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Haswell-IBRS CPU model + +This is a variant of Haswell with indirect branch prediction protection. +The only difference between Haswell and Haswell-IBRS is the added +"spec-ctrl" feature. + +The Haswell-IBRS model in QEMU is a bit different since Haswell got +several additional features since we added it in cpu_map.xml: + arat, abm, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1297,6 +1297,62 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-8.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-8.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-8.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-8.patch 2018-02-09 02:16:46.000000000 +0000 @@ -0,0 +1,90 @@ +From 49bffcb3cc1850d332b9648c686a7be18de9e708 Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Mon, 8 Jan 2018 20:53:25 +0100 +Subject: [PATCH] cpu: Add Broadwell-noTSX-IBRS CPU model + +This is a variant of Broadwell-noTSX with indirect branch prediction +protection. The only difference between Broadwell-noTSX and +Broadwell-noTSX-IBRS is the added "spec-ctrl" feature. + +The Broadwell-noTSX-IBRS model in QEMU is a bit different since +Broadwell-noTSX got several additional features since we added it in +cpu_map.xml: + abm, arat, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 58 insertions(+) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1410,6 +1410,64 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-9.patch libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-9.patch --- libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-9.patch 1970-01-01 00:00:00.000000000 +0000 +++ libvirt-2.5.0/debian/patches/CVE-2017-5715-ibrs-9.patch 2018-02-09 02:19:00.000000000 +0000 @@ -0,0 +1,96 @@ +Backport of: + +From 7bb4ce9761dfbd1620ddffb26fbd6f0ff1fedf3f Mon Sep 17 00:00:00 2001 +From: Jiri Denemark +Date: Tue, 9 Jan 2018 21:36:28 +0100 +Subject: [PATCH] cpu: Add Broadwell-IBRS CPU model + +This is a variant of Broadwell with indirect branch prediction +protection. The only difference between Broadwell and Broadwell-IBRS is +the added "spec-ctrl" feature. + +The Broadwell-IBRS model in QEMU is a bit different since Broadwell got +several additional features since we added it in cpu_map.xml: + abm, arat, f16c, rdrand, vme, xsaveopt + +Adding them only to the -IBRS variant would confuse our CPU detection +code. + +Signed-off-by: Jiri Denemark +Reviewed-by: Pavel Hrdina +--- + src/cpu/cpu_map.xml | 60 ++++++++++++++++++++++ + .../x86_64-cpuid-Core-i7-5600U-ibrs-guest.xml | 3 +- + .../x86_64-cpuid-Core-i7-5600U-ibrs-host.xml | 3 +- + .../x86_64-cpuid-Xeon-E5-2623-v4-host.xml | 3 +- + 4 files changed, 63 insertions(+), 6 deletions(-) + +--- a/src/cpu/cpu_map.xml ++++ b/src/cpu/cpu_map.xml +@@ -1527,6 +1527,66 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + diff -Nru libvirt-2.5.0/debian/patches/series libvirt-2.5.0/debian/patches/series --- libvirt-2.5.0/debian/patches/series 2018-01-23 15:34:45.000000000 +0000 +++ libvirt-2.5.0/debian/patches/series 2018-02-09 02:27:05.000000000 +0000 @@ -71,3 +71,13 @@ storage-Don-t-pass-iso-format-to-qemu-img.patch ubuntu/0001-gnutls-use-AC_CHECK_FUNCS.patch ubuntu/0002-gnutls-properly-backup-CFLAGS-and-LIBS.patch +CVE-2017-5715-ibrs-1.patch +CVE-2017-5715-ibrs-2.patch +CVE-2017-5715-ibrs-3.patch +CVE-2017-5715-ibrs-4.patch +CVE-2017-5715-ibrs-5.patch +CVE-2017-5715-ibrs-6.patch +CVE-2017-5715-ibrs-7.patch +CVE-2017-5715-ibrs-8.patch +CVE-2017-5715-ibrs-9.patch +CVE-2017-5715-ibrs-10.patch