This patch series provides the new "md-clear" feature that is used for mitigation with CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091.
Assuming you have the updated microcode and kernel to support the md-clear feature, then using "-cpu host" will expose the new feature to guests. For named CPU models, it must be explicitly added eg "-cpu Haswell,+md-clear" The first patch from Paolo is what most distros will already be shipping with their security updates for this issue. Daniel P. Berrangé (1): docs: recommend use of md-clear feature on all Intel CPUs Paolo Bonzini (1): target/i386: define md-clear bit docs/qemu-cpu-models.texi | 12 ++++++++++++ target/i386/cpu.c | 2 +- 2 files changed, 13 insertions(+), 1 deletion(-) -- 2.21.0
