Testing Bionic: Diff pre/post output: virsh capabilities: --- cap.old 2019-09-13 07:47:39.904489440 +0000 +++ cap.new 2019-09-13 07:54:17.141044569 +0000 @@ -26,6 +26,7 @@ + virsh domcapabilities ( --- dcap.old 2019-09-13 07:47:45.944614794 +0000 +++ dcap.new 2019-09-13 07:54:09.708864451 +0000 @@ -30,6 +30,7 @@ + Upgrade: $ sudo apt install libvirt-daemon-system Reading package lists... Done Building dependency tree Reading state information... Done The following additional packages will be installed: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd libvirt0 Suggested packages: libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-sheepdog libvirt-daemon-driver-storage-zfs numad radvd auditd systemtap nfs-common zfsutils pm-utils The following packages will be upgraded: libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd libvirt-daemon-system libvirt0 5 upgraded, 0 newly installed, 0 to remove and 14 not upgraded. Need to get 4116 kB of archives. After this operation, 0 B of additional disk space will be used. Do you want to continue? [Y/n] Y Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon-driver-storage-rbd amd64 4.0.0-1ubuntu8.13 [15.4 kB] Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon-system amd64 4.0.0-1ubuntu8.13 [80.7 kB] Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon amd64 4.0.0-1ubuntu8.13 [2176 kB] Get:4 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-clients amd64 4.0.0-1ubuntu8.13 [596 kB] Get:5 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt0 amd64 4.0.0-1ubuntu8.13 [1248 kB] Fetched 4116 kB in 1s (4660 kB/s) Preconfiguring packages ... (Reading database ... 71127 files and directories currently installed.) Preparing to unpack .../libvirt-daemon-driver-storage-rbd_4.0.0-1ubuntu8.13_amd64.deb ... Unpacking libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ... Preparing to unpack .../libvirt-daemon-system_4.0.0-1ubuntu8.13_amd64.deb ... Unpacking libvirt-daemon-system (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ... Preparing to unpack .../libvirt-daemon_4.0.0-1ubuntu8.13_amd64.deb ... Unpacking libvirt-daemon (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ... Preparing to unpack .../libvirt-clients_4.0.0-1ubuntu8.13_amd64.deb ... Unpacking libvirt-clients (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ... Preparing to unpack .../libvirt0_4.0.0-1ubuntu8.13_amd64.deb ... Unpacking libvirt0:amd64 (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ... Setting up libvirt0:amd64 (4.0.0-1ubuntu8.13) ... Setting up libvirt-daemon (4.0.0-1ubuntu8.13) ... Setting up libvirt-clients (4.0.0-1ubuntu8.13) ... Setting up libvirt-daemon-system (4.0.0-1ubuntu8.13) ... virtlockd.service is a disabled or a static unit, not starting it. Setting up libvirt-daemon dnsmasq configuration. Setting up libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) ... Processing triggers for systemd (237-3ubuntu10.29) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for libc-bin (2.27-3ubuntu1) ... I further used the named feature e.g. like: in Guest config and it recognized it into qemu cmdline. -cpu EPYC-IBPB,...,amd-ssbd=off Without the new disabling host-model passes now: ...,amd-ssbd=on The spectre checker finds the difference that the guest now gets the fix we wanted it to have. --- old.log 2019-09-13 08:01:49.919323740 +0000 +++ new.log 2019-09-13 08:02:45.244000000 +0000 @@ -10 +10 @@ - * SPEC_CTRL MSR is available: NO + * SPEC_CTRL MSR is available: YES @@ -18 +18 @@ - * SPEC_CTRL MSR is available: NO + * SPEC_CTRL MSR is available: YES @@ -22 +22 @@ - * CPU indicates SSBD capability: YES (AMD non-architectural MSR) + * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL) @@ -77 +77 @@ -* Mitigated according to the /sys interface: NO (Vulnerable) +* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) @@ -79,2 +79,3 @@ -* SSB mitigation is enabled and active: NO -> STATUS: VULNERABLE (your CPU and kernel both support SSBD but the mitigation is not active) +* SSB mitigation is enabled and active: YES (per-thread through prctl) +* SSB mitigation currently active for selected processes: YES (systemd-hostnamed systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd) +> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp) @@ -131 +132 @@ -> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK +> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK With that confirmed, setting verified