Add SPEC_CTRL and IBRS changes

Bug #1744882 reported by Christian Ehrhardt  on 2018-01-23
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Undecided
Unassigned
Kilo
Undecided
Unassigned
Mitaka
Undecided
Unassigned
Ocata
Undecided
Unassigned
Pike
Undecided
Unassigned
qemu (Ubuntu)
Undecided
Christian Ehrhardt 
Trusty
Undecided
Marc Deslauriers
Xenial
Undecided
Marc Deslauriers
Artful
Undecided
Marc Deslauriers
Bionic
Undecided
Christian Ehrhardt 

Bug Description

The merge of [1] landed the spectre related changes for SPEC_CTRL and IBRS to qemu 2.12

It is announced in [2] that there shall be a 2.11.1 with the backport that we intend to pick.
The security team can use this merge at [1] to work on backwards security updates.
For 18.04 (not yet released) the intention for now is to pick 2.11.1 once available.

[1]: https://github.com/qemu/qemu/commit/5cad8ca516011695a37d5be905292722b5249da8
[2]: https://www.qemu.org/2018/01/04/spectre/

CVE References

Set up the initial set, leaving the security SRUs for Marc to share is intentions.

Changed in qemu (Ubuntu Bionic):
assignee: nobody → ChristianEhrhardt (paelzer)
status: New → Triaged
tags: added: qemu-18.04

Hmm, I haven't seen any submission of these to qemu-stable yet.
Was the plan revised?

@mdeslaur - did you hear anything in that regard?

I asked about the latter in [1], as I might have missed a major change of plans.

@mdeslaur - it is also up to you if this bug should go public or not and to dup it if you already have a better one that I don't know of.

[1]: https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg05549.html

Changed in qemu (Ubuntu Trusty):
status: New → Confirmed
Changed in qemu (Ubuntu Xenial):
status: New → Confirmed
Changed in qemu (Ubuntu Artful):
status: New → In Progress
Changed in qemu (Ubuntu Trusty):
status: Confirmed → In Progress
Changed in qemu (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in qemu (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in qemu (Ubuntu Artful):
assignee: nobody → Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.10+dfsg-0ubuntu3.4

---------------
qemu (1:2.10+dfsg-0ubuntu3.4) artful-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Change X86CPUDefinition::
      model_id to const char* in target/i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target/i386/cpu.h, target/i386/kvm.c, target/i386/machine.c.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target/i386/cpu.c, target/i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target/i386/cpu.c, target/i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target/i386/cpu.c.
    - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
      for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
    - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
      target/s390x/cpu.c, target/s390x/cpu.h, target/s390x/cpu_features.c,
      target/s390x/cpu_features_def.h, target/s390x/gen-features.c,
      target/s390x/kvm.c, target/s390x/machine.c.
    - debian/patches/CVE-2017-5715-s390x-3.patch: provide stfle.81 in
      target/s390x/cpu_features.c, target/s390x/cpu_features_def.h,
      target/s390x/gen-features.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:28:07 -0500

Changed in qemu (Ubuntu Artful):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.5+dfsg-5ubuntu10.20

---------------
qemu (1:2.5+dfsg-5ubuntu10.20) xenial-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Lengthen X86CPUDefinition::
      model_id in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target-i386/cpu.h, target-i386/kvm.c, target-i386/machine.c.
    - debian/patches/CVE-2017-5715-3pre1.patch: add FEAT_7_0_ECX and
      FEAT_7_0_EDX in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
      for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
    - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
      target-s390x/cpu.c, target-s390x/cpu.h, target-s390x/kvm.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:27:34 -0500

Changed in qemu (Ubuntu Xenial):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 2.0.0+dfsg-2ubuntu1.38

---------------
qemu (2.0.0+dfsg-2ubuntu1.38) trusty-security; urgency=medium

  * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
    - debian/patches/CVE-2017-5715-1.patch: Lengthen X86CPUDefinition::
      model_id in target-i386/cpu.c.
    - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
      in target-i386/cpu.h, target-i386/kvm.c, target-i386/machine.c.
    - debian/patches/CVE-2017-5715-3pre1.patch: add FEAT_7_0_ECX and
      FEAT_7_0_EDX in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
      target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
      feature word in target-i386/cpu.c, target-i386/cpu.h.
    - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
      CPU models in target-i386/cpu.c.
    - CVE-2017-5715

 -- Marc Deslauriers <email address hidden> Thu, 01 Feb 2018 13:27:00 -0500

Changed in qemu (Ubuntu Trusty):
status: In Progress → Fix Released

qemu 2.11 is in proposed

Changed in qemu (Ubuntu Bionic):
status: Triaged → Fix Committed

Actually this particular change will be in 2.11.1 which should be released next week and then follow 2.11 into bionic.

Changed in qemu (Ubuntu Bionic):
status: Fix Committed → Triaged

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into kilo-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:kilo-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-kilo-needed to verification-kilo-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-kilo-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-kilo-needed
Corey Bryant (corey.bryant) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-ocata-needed
Corey Bryant (corey.bryant) wrote :

Regression testing with tempest successful on ocata-proposed:

======
Totals
======
Ran: 102 tests in 1543.5582 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 908.5919 sec.

Corey Bryant (corey.bryant) wrote :

Regression testing with tempest successful on pike-proposed:

======
Totals
======
Ran: 102 tests in 1330.1886 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 644.0600 sec.

Corey Bryant (corey.bryant) wrote :

Hello ChristianEhrhardt, or anyone else affected,

Accepted qemu into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-mitaka-needed

The verification of the Stable Release Update for qemu has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

James Page (james-page) wrote :

This bug was fixed in the package qemu - 1:2.10+dfsg-0ubuntu3.4~cloud0
---------------

 qemu (1:2.10+dfsg-0ubuntu3.4~cloud0) xenial-pike; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 qemu (1:2.10+dfsg-0ubuntu3.4) artful-security; urgency=medium
 .
   * SECURITY UPDATE: Add support for Spectre mitigations (LP: #1744882)
     - debian/patches/CVE-2017-5715-1.patch: Change X86CPUDefinition::
       model_id to const char* in target/i386/cpu.c.
     - debian/patches/CVE-2017-5715-2.patch: Add support for SPEC_CTRL MSR
       in target/i386/cpu.h, target/i386/kvm.c, target/i386/machine.c.
     - debian/patches/CVE-2017-5715-3.patch: Add spec-ctrl CPUID bit in
       target/i386/cpu.c, target/i386/cpu.h.
     - debian/patches/CVE-2017-5715-4.patch: Add FEAT_8000_0008_EBX CPUID
       feature word in target/i386/cpu.c, target/i386/cpu.h.
     - debian/patches/CVE-2017-5715-5.patch: Add new -IBRS versions of Intel
       CPU models in target/i386/cpu.c.
     - debian/patches/CVE-2017-5715-s390x-1.patch: add linux-header content
       for bpbc in linux-headers/asm-s390/kvm.h, linux-headers/linux/kvm.h.
     - debian/patches/CVE-2017-5715-s390x-2.patch: handle bpb feature in
       target/s390x/cpu.c, target/s390x/cpu.h, target/s390x/cpu_features.c,
       target/s390x/cpu_features_def.h, target/s390x/gen-features.c,
       target/s390x/kvm.c, target/s390x/machine.c.
     - debian/patches/CVE-2017-5715-s390x-3.patch: provide stfle.81 in
       target/s390x/cpu_features.c, target/s390x/cpu_features_def.h,
       target/s390x/gen-features.c.
     - CVE-2017-5715

tags: added: verification-pike-done
no longer affects: cloud-archive/icehouse
Changed in cloud-archive:
status: New → Triaged
Corey Bryant (corey.bryant) wrote :

Testing has completed successfully for ocata-proposed between regression testing successfully and the following results testing qemu/libvirt with microcode updates: https://paste.ubuntu.com/p/X45Gghqvkk/

tags: added: verification-ocata-done
removed: verification-ocata-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.11+dfsg-1ubuntu2

---------------
qemu (1:2.11+dfsg-1ubuntu2) bionic; urgency=medium

  * d/p/ubuntu/qemu-stable-2.11.1.patch: add stable release
    - among other fixes this adds code to:
      - mitigate the Spectre/Meltdown attacks (LP: #1744882) (CVE-2017-5715)
        However, enabling this functionality requires additional configuration
        beyond just updating QEMU. Also migrations need special consideration.
        Details about that can be found at:
        https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
      - Power9 allocation of max 8 threads per core (LP: #1750526)
  * Drop changes that are part of the upstream stable release
    - d/p/ubuntu/linux-headers-update-to-4.15-rc1.patch
    - d/p/ubuntu/linux-headers-update-4.15-rc9.patch
    - d/p/ubuntu/lp1743560-s390x-kvm-Handle-bpb-feature.patch
    - d/p/ubuntu/lp1743560-s390x-kvm-provide-stfle.81.patch
  * d/p/ubuntu/define-ubuntu-machine-types.patch: refresh to match stable update
  * d/p/ubuntu/pre-bionic-256k-ipxe-efi-roms.patch: unify to only change the
    common compat.h header and add some extra info in the patch header.

 -- Christian Ehrhardt <email address hidden> Mon, 19 Feb 2018 11:03:11 +0100

Changed in qemu (Ubuntu Bionic):
status: Triaged → Fix Released
Corey Bryant (corey.bryant) wrote :

Regression testing for trusty-mitaka has successfully passed:

======
Totals
======
Ran: 102 tests in 1037.8303 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 622.6697 sec.

tags: added: verification-mitaka-done
removed: verification-mitaka-needed
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers