On 12/11/19 10:51, Daniel P. Berrangé wrote: > On Tue, Nov 12, 2019 at 03:50:43AM +0000, Kyle Copperfield via wrote: >> New microcode introduces the "Flush L1D Cache" CPUID feature bit. >> This needs to be exposed to guest OS to allow them to protect against >> CVE-2018-3646. > > My understanding was that this is only required in the L0 hypervisor, > not the guests or nested hypervisors, which is why QEMU hadn't already > exposed this feature when L1TF first went public. > > Copying Paolo for a definitive answer on that though....
Correct; in fact in addition to this patch you would have to patch KVM to allow guest writes to MSR_IA32_FLUSH_CMD. Paolo > >> >> Signed-off-by: Kyle Copperfield <kmcop...@danwin1210.me> >> --- >> docs/qemu-cpu-models.texi | 7 +++++++ >> target/i386/cpu.c | 2 +- >> 2 files changed, 8 insertions(+), 1 deletion(-) >> >> diff --git a/docs/qemu-cpu-models.texi b/docs/qemu-cpu-models.texi >> index f88a1def0d..1b5349d86a 100644 >> --- a/docs/qemu-cpu-models.texi >> +++ b/docs/qemu-cpu-models.texi >> @@ -180,6 +180,13 @@ Must be explicitly turned on for all Intel CPU models. >> Requires the host CPU microcode to support this feature before it >> can be used for guest CPUs. >> >> +@item @code{flush_l1d} >> + >> +Required to enable strong Foreshadow-NG (VMM) (CVE-2018-3646) fixes in >> +guests. >> + >> +Requires the host CPU microcode to support this feature before it >> +can be used for guest CPUs. >> >> @item @code{ssbd} >> >> diff --git a/target/i386/cpu.c b/target/i386/cpu.c >> index a624163ac2..1fb6d677e2 100644 >> --- a/target/i386/cpu.c >> +++ b/target/i386/cpu.c >> @@ -1083,7 +1083,7 @@ static FeatureWordInfo >> feature_word_info[FEATURE_WORDS] = { >> NULL, NULL, NULL /* pconfig */, NULL, >> NULL, NULL, NULL, NULL, >> NULL, NULL, "spec-ctrl", "stibp", >> - NULL, "arch-capabilities", "core-capability", "ssbd", >> + "flush_l1d", "arch-capabilities", "core-capability", "ssbd", >> }, >> .cpuid = { >> .eax = 7, >> -- >> 2.24.0 >> >> > > Regards, > Daniel >