Here we go - attached is the relevant patch - extracted from the opensuse src.rpm.
Greets, Stefan Am 04.01.2018 um 19:37 schrieb Alexandre DERUMIER: > seem that for spectre, cpumodel=qemu64|kvm64 is ok. > > but not for the 2 others cve > > On 04/01/2018 19:13, Alexandre DERUMIER wrote: >> Thanks Paolo ! >> >> Do we need to update guest kernel too, if qemu use cpumodel=qemu64 ? >> >> (For example, I have some very old guests where kernel update is not >> possible) > > If you want to be protected against the other two CVEs (one of which is > "Meltdown"), yes. > > Paolo > > > ----- Mail original ----- > De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> > À: "pve-devel" <pve-devel@pve.proxmox.com> > Envoyé: Jeudi 4 Janvier 2018 19:25:44 > Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? > > Thanks! But that means we can update the kernel on the host which makes the > host and vm jumping safe BUT multi user guests are still vulnerable as long > as there are no qemu patches even if the guest has a current kernel. > > Greets, > Stefan > > Excuse my typo sent from my mobile phone. > >> Am 04.01.2018 um 19:09 schrieb Alexandre DERUMIER <aderum...@odiso.com>: >> >> From Paolo bonzini on qemu-devel >> >> -- >> _posts/ 2018-01-04 -spectre.md | 60 >> ++++++++++++++++++++++++++++++++++++++++++++ >> 1 file changed, 60 insertions(+) >> create mode 100644 _posts/ 2018-01-04 -spectre.md >> >> diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md >> new file mode 100644 >> index 0000000..1be86d0 >> --- /dev/null >> +++ b/_posts/ 2018-01-04 -spectre.md >> @@ -0,0 +1,60 @@ >> +--- >> +layout: post >> +title: "QEMU and the Spectre and Meltdown attacks" >> +date: 2018-01-04 18:00:00 +0000 >> +author: Paolo Bonzini and Eduardo Habkost >> +categories: [meltdown, spectre, security, x86] >> +--- >> +As you probably know by now, three critical architectural flaws in CPUs >> have >> +been recently disclosed that allow user processes to read kernel or >> hypervisor >> +memory through cache side-channel attacks. These flaws, collectively >> +named _Meltdown_ and _Spectre_, affect in one way or another almost >> +all processors that perform out-of-order execution, including x86 (from >> +Intel and AMD), POWER, s390 and ARM processors. >> + >> +No microcode updates are required to block the _Meltdown_ attack; it is >> +enough to update the guest operating system to a version that separates >> +the user and kernel address spaces (known as _page table isolation_ for >> +the Linux kernel). Therefore, this post will focus on _Spectre_, and >> +especially on [CVE-2017-5715]( [ >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | >> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). >> + >> +Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, >> +requires cooperation between the processor and the operating system kernel >> or >> +hypervisor; the processor can be updated through microcode or millicode >> +patches to provide the required functionality. CVE-2017-5715 allows guests >> +to read potentially sensitive data from hypervisor memory; however, >> __patching >> +the host kernel is sufficient to block this attack__. >> + >> +On the other hand, in order to protect the guest kernel from a malicious >> +userspace, updates are also needed to the guest kernel and, depending on >> +the processor architecture, to QEMU. Just like on bare-metal, the guest >> +kernel will use the new functionality provided by the microcode or >> millicode >> +updates. When running under a hypervisor, processor emulation is mostly out >> of >> +QEMU's scope, so QEMU's role in the fix is small, but nevertheless >> important. >> +In the case of KVM: >> + >> +* QEMU configures the hypervisor to emulate a specific processor model. >> +For x86, QEMU has to be aware of new CPUID bits introduced by the microcode >> +update, and it must provide them to guests depending on how the guest is >> +configured. >> + >> +* upon virtual machine migration, QEMU reads the CPU state on the source >> +and transmits it to the destination. For x86, QEMU has to be aware of new >> +model specific registers (MSRs). >> + >> +Right now, there are no public patches to KVM that expose the new CPUID >> bits >> +and MSRs to the virtual machines, therefore there is no urgent need to >> update >> +QEMU; remember that __updating the host kernel is enough to protect the >> +host from malicious guests__. Nevertheless, updates will be posted to the >> +qemu-devel mailing list in the next few days, and a 2.11.1 patch release >> +will be released with the fix. >> + >> +As of today, the QEMU project is not aware of whether similar changes will >> +be required for non-x86 processors. If so, they will also posted to the >> +mailing list and backported to recent stable releases. >> + >> +For more information on the vulnerabilities, please refer to the [Google >> Security >> +Blog]( [ >> https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html >> | >> https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html >> ] ) >> +and [Google Project >> +Zero]( [ >> https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html >> | >> https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html >> ] ) >> +posts on the topic, as well as the [Spectre and Meltdown FAQ]( [ >> https://meltdownattack.com/#faq | https://meltdownattack.com/#faq ] ). >> -- >> 2.14.3 >> >> Alexandre Derumier >> Ingénieur système et stockage >> >> Manager Infrastructure >> >> >> Fixe : +33 3 59 82 20 10 >> >> >> >> 125 Avenue de la république >> 59110 La Madeleine >> [ https://twitter.com/OdisoHosting ] [ https://twitter.com/mindbaz ] [ >> https://www.linkedin.com/company/odiso ] [ >> https://www.viadeo.com/fr/company/odiso ] [ >> https://www.facebook.com/monsiteestlent ] >> >> [ https://www.monsiteestlent.com/ | MonSiteEstLent.com ] - Blog dédié à la >> webperformance et la gestion de pics de trafic >> >> ----- Mail original ----- >> De: "Fabian Grünbichler" <f.gruenbich...@proxmox.com> >> À: "pve-devel" <pve-devel@pve.proxmox.com> >> Envoyé: Jeudi 4 Janvier 2018 09:50:04 >> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? >> >>> On Thu, Jan 04, 2018 at 07:17:54AM +0100, Stefan Priebe - Profihost AG >>> wrote: >>> Hello, >>> >>> as far as i can see at least SuSE updated qemu for Meltdown and Spectre >>> to provide CPUID information to the guest. >>> >>> I think we need to patch qemu as well asap? Has anybody found the >>> relevant patches? >>> >>> https://www.pro-linux.de/sicherheit/2/41859/preisgabe-von-informationen-in-qemu.html >>> >>> >>> Greets, >>> Stefan >> >> there seem to be no public (qemu) patches yet, once there are, we will >> review and include them. >> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
