diff --git a/kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch b/kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch new file mode 100644 index 0000000..0b889e4 --- /dev/null +++ b/kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch @@ -0,0 +1,70 @@ +From dd03cf49fbf6a961a726506cb5264768d814d2c4 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov +Date: Mon, 5 Aug 2024 17:20:41 -0300 +Subject: [PATCH] target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the + guest + +RH-Author: Igor Mammedov +RH-MergeRequest: 401: target/i386: Expose IBPB-BRTYPE and SBPB CPUID bits to the guest +RH-Jira: RHEL-17614 +RH-Acked-by: Ani Sinha +RH-Acked-by: Jon Maloy +RH-Commit: [1/1] aa904a1ea0552fc37b61f79fda8a471928ea5d81 (imammedo/qemu-kvm-cs) + +According to AMD's Speculative Return Stack Overflow whitepaper (link +below), the hypervisor should synthesize the value of IBPB_BRTYPE and +SBPB CPUID bits to the guest. + +Support for this is already present in the kernel with commit +e47d86083c66 ("KVM: x86: Add SBPB support") and commit 6f0f23ef76be +("KVM: x86: Add IBPB_BRTYPE support"). + +Add support in QEMU to expose the bits to the guest OS. + +host: + # cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow + Mitigation: Safe RET + +before (guest): + $ cpuid -l 0x80000021 -1 -r + 0x80000021 0x00: eax=0x00000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 + ^ + $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow + Vulnerable: Safe RET, no microcode + +after (guest): + $ cpuid -l 0x80000021 -1 -r + 0x80000021 0x00: eax=0x18000045 ebx=0x00000000 ecx=0x00000000 edx=0x00000000 + ^ + $ cat /sys/devices/system/cpu/vulnerabilities/spec_rstack_overflow + Mitigation: Safe RET + +Reported-by: Fabian Vogt +Link: https://www.amd.com/content/dam/amd/en/documents/corporate/cr/speculative-return-stack-overflow-whitepaper.pdf +Signed-off-by: Fabiano Rosas +Link: https://lore.kernel.org/r/20240805202041.5936-1-farosas@suse.de +Signed-off-by: Paolo Bonzini + +(cherry picked from commit 0701abbf9880b5ab1cf44e0caa6ad173aec840e7) +JIRA: https://issues.redhat.com/browse/RHEL-17614 +Signed-off-by: Igor Mammedov +--- + target/i386/cpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index ee753351fc..f75cc04cd3 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1241,7 +1241,7 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + NULL, NULL, NULL, NULL, + NULL, NULL, NULL, NULL, + "prefetchi", NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, NULL, NULL, "sbpb", + "ibpb-brtype", "srso-no", "srso-user-kernel-no", NULL, + }, + .cpuid = { .eax = 0x80000021, .reg = R_EAX, }, +-- +2.50.1 + diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 6f4d72d..4bb7268 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -149,7 +149,7 @@ Obsoletes: %{name}-block-ssh <= %{epoch}:%{version} \ Summary: QEMU is a machine emulator and virtualizer Name: qemu-kvm Version: 9.1.0 -Release: 27%{?rcrel}%{?dist}%{?cc_suffix} +Release: 28%{?rcrel}%{?dist}%{?cc_suffix} # Epoch because we pushed a qemu-1.0 package. AIUI this can't ever be dropped # Epoch 15 used for RHEL 8 # Epoch 17 used for RHEL 9 (due to release versioning offset in RHEL 8.5) @@ -1197,6 +1197,8 @@ Patch391: kvm-ram-block-attributes-Introduce-RamBlockAttributes-to.patch # For RHEL-20798 - [Intel 9.6 FEAT] TDX: host: Virt-QEMU: Add safe device pass-through for TD # For RHEL-49728 - [Intel 9.7 FEAT] Virt-QEMU: TDX: Allow to configure apic bus clock Patch392: kvm-physmem-Support-coordinated-discarding-of-RAM-with-g.patch +# For RHEL-17614 - VM reports Vulnerable to spec_rstack_overflow when reading status in '/sys/devices/system/cpu/vulnerabilities/' +Patch393: kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch %if %{have_clang} BuildRequires: clang @@ -2272,6 +2274,11 @@ useradd -r -u 107 -g qemu -G kvm -d / -s /sbin/nologin \ %endif %changelog +* Mon Sep 15 2025 Jon Maloy - 9.1.0-28 +- kvm-target-i386-Expose-IBPB-BRTYPE-and-SBPB-CPUID-bits-t.patch [RHEL-17614] +- Resolves: RHEL-17614 + (VM reports Vulnerable to spec_rstack_overflow when reading status in '/sys/devices/system/cpu/vulnerabilities/') + * Tue Sep 09 2025 Jon Maloy - 9.1.0-27 - kvm-target-i386-Make-invtsc-migratable-when-user-sets-ts.patch [RHEL-15710 RHEL-20798 RHEL-49728] - kvm-target-i386-Enable-fdp-excptn-only-and-zero-fcs-fds.patch [RHEL-15710 RHEL-20798 RHEL-49728]