Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches

[Paolo Bonzini]

On 04/01/2018 09:35, Alexandre DERUMIER wrote:
>>> So you need: 
>>> 1.) intel / amd cpu microcode update 
>>> 2.) qemu update to pass the new MSR and CPU flags from the microcode update 
>>> 3.) host kernel update 
>>> 4.) guest kernel update 
> 
> are you sure we need to patch guest kernel if we are able to patch qemu ?

Patching the guest kernel is only required to protect the guest kernel
from guest usermode.

> If I understand, patching the host kernel, should avoid that a vm is reading 
> memory of another vm.
> (the most critical)

Correct.

> patching the guest kernel, to avoid that a process from the vm have access to 
> memory of another process of same vm.

Correct.

The QEMU updates are pretty boring, mostly taking care of new MSR and
CPUID flags (and adding new CPU models).

They are not needed to protect the guest from "Meltdown", only
"Spectre"---the former only needs a guest kernel update.  Also, to have
any effect, the guest kernels must also have "Spectre" patches which
aren't upstream yet for either KVM or the rest of Linux.  So the QEMU
patches are much less important than the kernel side.

>> https://access.redhat.com/solutions/3307851 
>> "Impacts of CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 to Red Hat 
>> Virtualization products" 

It mostly repeats the contents of the RHEL document
https://access.redhat.com/security/vulnerabilities/speculativeexecution,
with some information specific to RHV.

Thanks,

Paolo

> i don't have one but the content might be something like this: 
> https://www.suse.com/de-de/support/kb/doc/?id=7022512 
> 
> So you need: 
> 1.) intel / amd cpu microcode update 
> 2.) qemu update to pass the new MSR and CPU flags from the microcode update 
> 3.) host kernel update 
> 4.) guest kernel update 
> 
> The microcode update and the kernel update is publicly available but i'm 
> missing the qemu one. 
> 
> Greets, 
> Stefan 
> 
>> ----- Mail original ----- 
>> De: "aderumier" <address@hidden> 
>> À: "Stefan Priebe, Profihost AG" <address@hidden> 
>> Cc: "qemu-devel" <address@hidden> 
>> Envoyé: Jeudi 4 Janvier 2018 08:24:34 
>> Objet: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches 
>>
>>>> Can anybody point me to the relevant qemu patches? 
>>
>> I don't have find them yet. 
>>
>> Do you known if a vm using kvm64 cpu model is protected or not ? 
>>
>> ----- Mail original ----- 
>> De: "Stefan Priebe, Profihost AG" <address@hidden> 
>> À: "qemu-devel" <address@hidden> 
>> Envoyé: Jeudi 4 Janvier 2018 07:27:01 
>> Objet: [Qemu-devel] CVE-2017-5715: relevant qemu patches 
>>
>> Hello, 
>>
>> i've seen some vendors have updated qemu regarding meltdown / spectre. 
>>
>> f.e.: 
>>
>> CVE-2017-5715: QEMU was updated to allow passing through new MSR and 
>> CPUID flags from the host VM to the CPU, to allow enabling/disabling 
>> branch prediction features in the Intel CPU. (bsc#1068032) 
>>
>> Can anybody point me to the relevant qemu patches? 
>>
>> Thanks! 
>>
>> Greets, 
>> Stefan 
>>
> 
>