From: Alexandre DERUMIER <aderumier@odiso.com>
To: "Stefan Priebe, Profihost AG" <s.priebe@profihost.ag>
Cc: qemu-devel <qemu-devel@nongnu.org>
Subject: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches
Date: Thu, 4 Jan 2018 09:35:01 +0100 (CET) [thread overview]
Message-ID: <130240891.820052.1515054901352.JavaMail.zimbra@oxygem.tv> (raw)
In-Reply-To: <cb656289-97ee-d45e-cfcc-51e86b9a11ce@profihost.ag>
>>So you need:
>>1.) intel / amd cpu microcode update
>>2.) qemu update to pass the new MSR and CPU flags from the microcode update
>>3.) host kernel update
>>4.) guest kernel update
are you sure we need to patch guest kernel if we are able to patch qemu ?
I have some pretty old guest (linux and windows)
If I understand, patching the host kernel, should avoid that a vm is reading memory of another vm.
(the most critical)
patching the guest kernel, to avoid that a process from the vm have access to memory of another process of same vm.
right ?
----- Mail original -----
De: "Stefan Priebe, Profihost AG" <s.priebe@profihost.ag>
À: "aderumier" <aderumier@odiso.com>
Cc: "qemu-devel" <qemu-devel@nongnu.org>
Envoyé: Jeudi 4 Janvier 2018 09:17:41
Objet: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches
Am 04.01.2018 um 08:27 schrieb Alexandre DERUMIER:
> does somebody have a redhat account to see te content of:
>
> https://access.redhat.com/solutions/3307851
> "Impacts of CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715 to Red Hat Virtualization products"
i don't have one but the content might be something like this:
https://www.suse.com/de-de/support/kb/doc/?id=7022512
So you need:
1.) intel / amd cpu microcode update
2.) qemu update to pass the new MSR and CPU flags from the microcode update
3.) host kernel update
4.) guest kernel update
The microcode update and the kernel update is publicly available but i'm
missing the qemu one.
Greets,
Stefan
> ----- Mail original -----
> De: "aderumier" <aderumier@odiso.com>
> À: "Stefan Priebe, Profihost AG" <s.priebe@profihost.ag>
> Cc: "qemu-devel" <qemu-devel@nongnu.org>
> Envoyé: Jeudi 4 Janvier 2018 08:24:34
> Objet: Re: [Qemu-devel] CVE-2017-5715: relevant qemu patches
>
>>> Can anybody point me to the relevant qemu patches?
>
> I don't have find them yet.
>
> Do you known if a vm using kvm64 cpu model is protected or not ?
>
> ----- Mail original -----
> De: "Stefan Priebe, Profihost AG" <s.priebe@profihost.ag>
> À: "qemu-devel" <qemu-devel@nongnu.org>
> Envoyé: Jeudi 4 Janvier 2018 07:27:01
> Objet: [Qemu-devel] CVE-2017-5715: relevant qemu patches
>
> Hello,
>
> i've seen some vendors have updated qemu regarding meltdown / spectre.
>
> f.e.:
>
> CVE-2017-5715: QEMU was updated to allow passing through new MSR and
> CPUID flags from the host VM to the CPU, to allow enabling/disabling
> branch prediction features in the Intel CPU. (bsc#1068032)
>
> Can anybody point me to the relevant qemu patches?
>
> Thanks!
>
> Greets,
> Stefan
>
next prev parent reply other threads:[~2018-01-04 8:43 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-04 6:27 [Qemu-devel] CVE-2017-5715: relevant qemu patches Stefan Priebe - Profihost AG
2018-01-04 7:24 ` Alexandre DERUMIER
2018-01-04 7:27 ` Alexandre DERUMIER
2018-01-04 8:17 ` Stefan Priebe - Profihost AG
2018-01-04 8:35 ` Alexandre DERUMIER [this message]
2018-01-04 9:22 ` Stefan Priebe - Profihost AG
2018-01-04 15:53 ` Paolo Bonzini
2018-01-04 20:15 ` Stefan Priebe - Profihost AG
2018-01-05 8:33 ` Paolo Bonzini
2018-01-05 10:40 ` Stefan Priebe - Profihost AG
2018-01-05 10:57 ` Paolo Bonzini
2018-01-04 12:53 ` Stefan Priebe - Profihost AG
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=130240891.820052.1515054901352.JavaMail.zimbra@oxygem.tv \
--to=aderumier@odiso.com \
--cc=qemu-devel@nongnu.org \
--cc=s.priebe@profihost.ag \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.