Am 04.01.2018 um 09:35 schrieb Alexandre DERUMIER: >>> So you need: >>> 1.) intel / amd cpu microcode update >>> 2.) qemu update to pass the new MSR and CPU flags from the microcode update >>> 3.) host kernel update >>> 4.) guest kernel update > > are you sure we need to patch guest kernel if we are able to patch qemu ? >> I have some pretty old guest (linux and windows) > > If I understand, patching the host kernel, should avoid that a vm is reading > memory of another vm. > (the most critical)
Yes - this was just to complete the mitigation on all layers. > > patching the guest kernel, to avoid that a process from the vm have access to > memory of another process of same vm. Yes. Stefan > > > > ----- Mail original ----- > De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> > À: "aderumier" <aderum...@odiso.com> > Cc: "qemu-devel" <qemu-devel@nongnu.org> > Envoyé: Jeudi 4 Janvier 2018 09:17:41 > Objet: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches > > Am 04.01.2018 um 08:27 schrieb Alexandre DERUMIER: >> does somebody have a redhat account to see te content of: >> >> https://access.redhat.com/solutions/3307851 >> "Impacts of CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 to Red Hat >> Virtualization products" > > i don't have one but the content might be something like this: > https://www.suse.com/de-de/support/kb/doc/?id=7022512 > > So you need: > 1.) intel / amd cpu microcode update > 2.) qemu update to pass the new MSR and CPU flags from the microcode update > 3.) host kernel update > 4.) guest kernel update > > The microcode update and the kernel update is publicly available but i'm > missing the qemu one. > > Greets, > Stefan > >> ----- Mail original ----- >> De: "aderumier" <aderum...@odiso.com> >> À: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> >> Cc: "qemu-devel" <qemu-devel@nongnu.org> >> Envoyé: Jeudi 4 Janvier 2018 08:24:34 >> Objet: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches >> >>>> Can anybody point me to the relevant qemu patches? >> >> I don't have find them yet. >> >> Do you known if a vm using kvm64 cpu model is protected or not ? >> >> ----- Mail original ----- >> De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> >> À: "qemu-devel" <qemu-devel@nongnu.org> >> Envoyé: Jeudi 4 Janvier 2018 07:27:01 >> Objet: [Qemu-devel] CVE-2017-5715: relevant qemu patches >> >> Hello, >> >> i've seen some vendors have updated qemu regarding meltdown / spectre. >> >> f.e.: >> >> CVE-2017-5715: QEMU was updated to allow passing through new MSR and >> CPUID flags from the host VM to the CPU, to allow enabling/disabling >> branch prediction features in the Intel CPU. (bsc#1068032) >> >> Can anybody point me to the relevant qemu patches? >> >> Thanks! >> >> Greets, >> Stefan >> >
