diff --git a/1093-target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch b/1093-target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch new file mode 100644 index 0000000000000000000000000000000000000000..48bd8388c44c50ddd1565228fe844b4f0fe08be3 --- /dev/null +++ b/1093-target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch @@ -0,0 +1,50 @@ +From: Lei Wang +Date: Thu, 6 Jul 2023 13:49:48 +0800 +Subject: [PATCH] target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model + +commit 3baf7ae63505eb1652d1e52d65798307fead8539 upstream. + +SapphireRapids has bit 13, 14 and 15 of MSR_IA32_ARCH_CAPABILITIES +enabled, which are related to some security fixes. + +Add version 2 of SapphireRapids CPU model with those bits enabled also. + +Intel-SIG: commit 3baf7ae63505 target/i386: Add few security fix bits in ARCH_CAPABILITIES into SapphireRapids CPU model. +6.2-SPR new model support + +Signed-off-by: Lei Wang +Signed-off-by: Tao Su +Message-ID: <20230706054949.66556-6-tao1.su@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 0a3c76854..8a045e065 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3762,8 +3762,17 @@ static const X86CPUDefinition builtin_x86_defs[] = { + .model_id = "Intel Xeon Processor (SapphireRapids)", + .versions = (X86CPUVersionDefinition[]) { + { .version = 1 }, +- { /* end of list */ }, +- }, ++ { ++ .version = 2, ++ .props = (PropValue[]) { ++ { "sbdr-ssdp-no", "on" }, ++ { "fbsdp-no", "on" }, ++ { "psdp-no", "on" }, ++ { /* end of list */ } ++ } ++ }, ++ { /* end of list */ } ++ } + }, + { + .name = "SierraForest", +-- +2.25.1 diff --git a/1094-target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch b/1094-target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch new file mode 100644 index 0000000000000000000000000000000000000000..a035ee120ae650079c33b4932988cb4f1dbd8b10 --- /dev/null +++ b/1094-target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch @@ -0,0 +1,45 @@ +From: Lei Wang +Date: Wed, 24 Apr 2024 03:29:12 -0400 +Subject: [PATCH] target/i386: Introduce SapphireRapids-v3 to add missing features + +commit b10b2481738304db13d28252e86c10555121a5b3 upstream. + +Add the missing features(ss, tsc-adjust, cldemote, movdiri, movdir64b) in +the SapphireRapids-v3 CPU model. + +Intel-SIG: commit b10b24817383 target/i386: Introduce SapphireRapids-v3 to add missing features. +6.2-SPR new model support + +Signed-off-by: Lei Wang +Message-ID: <20240424072912.43188-1-lei4.wang@intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index f4b5c95c5..baa1a8207 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -3730,6 +3730,17 @@ static const X86CPUDefinition builtin_x86_defs[] = { + { /* end of list */ } + } + }, ++ { ++ .version = 3, ++ .props = (PropValue[]) { ++ { "ss", "on" }, ++ { "tsc-adjust", "on" }, ++ { "cldemote", "on" }, ++ { "movdiri", "on" }, ++ { "movdir64b", "on" }, ++ { /* end of list */ } ++ } ++ }, + { /* end of list */ } + } + }, +-- +2.25.1 diff --git a/1095-ebpf-replace-deprecated-bpf_program__set_socket_filt.patch b/1095-ebpf-replace-deprecated-bpf_program__set_socket_filt.patch new file mode 100644 index 0000000000000000000000000000000000000000..574626b422a5a54adbed9c688b4109f396207a45 --- /dev/null +++ b/1095-ebpf-replace-deprecated-bpf_program__set_socket_filt.patch @@ -0,0 +1,37 @@ +From: Haochen Tong +Date: Sat, 28 May 2022 03:06:58 +0800 +Subject: [PATCH] ebpf: replace deprecated bpf_program__set_socket_filter + +commit a495eba03c31c96d6a0817b13598ce2219326691 upstream. + +bpf_program__set_ functions have been deprecated since libbpf 0.8. +Replace with the equivalent bpf_program__set_type call to avoid a +deprecation warning. + +Intel-SIG: commit a495eba03c31 ebpf: replace deprecated bpf_program__set_socket_filter. +6.2-SPR new model support + +Signed-off-by: Haochen Tong +Reviewed-by: Zhang Chen +Signed-off-by: Jason Wang +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + ebpf/ebpf_rss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ebpf/ebpf_rss.c b/ebpf/ebpf_rss.c +index 118c68da83..cee658c158 100644 +--- a/ebpf/ebpf_rss.c ++++ b/ebpf/ebpf_rss.c +@@ -49,7 +49,7 @@ bool ebpf_rss_load(struct EBPFRSSContext *ctx) + goto error; + } + +- bpf_program__set_socket_filter(rss_bpf_ctx->progs.tun_rss_steering_prog); ++ bpf_program__set_type(rss_bpf_ctx->progs.tun_rss_steering_prog, BPF_PROG_TYPE_SOCKET_FILTER); + + if (rss_bpf__load(rss_bpf_ctx)) { + trace_ebpf_error("eBPF RSS", "can not load RSS program"); +-- +2.25.1 diff --git a/1096-target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch b/1096-target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch new file mode 100644 index 0000000000000000000000000000000000000000..03873421fc2106c10a4e6cf41fcbac15b915fb3f --- /dev/null +++ b/1096-target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch @@ -0,0 +1,45 @@ +From: Pawan Gupta +Date: Fri, 23 Jun 2023 13:26:25 -0700 +Subject: [PATCH] target/i386: Export MSR_ARCH_CAPABILITIES bits to guests + +commit 5bef742cc4f0e21c80a31611af7881ba811e507f upstream. + +On Intel CPUs there are certain bits in MSR_ARCH_CAPABILITIES that +indicates if the CPU is not affected by a vulnerability. Without these +bits guests may try to deploy the mitigation even if the CPU is not +affected. + +Export the bits to guests that indicate immunity to hardware +vulnerabilities. + +Intel-SIG: commit 5bef742cc4f0 target/i386: Export MSR_ARCH_CAPABILITIES bits to guests. +6.2-SPR new model support + +Signed-off-by: Pawan Gupta +Message-ID: <63d85cc76d4cdc51e6c732478b81d8f13be11e5a.1687551881.git.pawan.kumar.gupta@linux.intel.com> +Signed-off-by: Paolo Bonzini +[ Quanxian Wang: amend commit log ] +Signed-off-by: Quanxian Wang +--- + target/i386/cpu.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/target/i386/cpu.c b/target/i386/cpu.c +index 11f52c79b..62149367b 100644 +--- a/target/i386/cpu.c ++++ b/target/i386/cpu.c +@@ -1022,10 +1022,10 @@ FeatureWordInfo feature_word_info[FEATURE_WORDS] = { + "rdctl-no", "ibrs-all", "rsba", "skip-l1dfl-vmentry", + "ssb-no", "mds-no", "pschange-mc-no", "tsx-ctrl", + "taa-no", NULL, NULL, NULL, +- NULL, NULL, NULL, NULL, ++ NULL, "sbdr-ssdp-no", "fbsdp-no", "psdp-no", + NULL, "fb-clear", NULL, NULL, + NULL, NULL, NULL, NULL, +- NULL, NULL, NULL, "rfds-no", ++ "pbrsb-no", NULL, NULL, "rfds-no", + "rfds-clear", NULL, NULL, NULL, + }, + .msr = { +-- +2.25.1 diff --git a/qemu-kvm.spec b/qemu-kvm.spec index 02a349db5a5ef1d7081853a348fc75a5031ed912..08304dd24d100ec78d190e161cf1f255b1d85f9c 100644 --- a/qemu-kvm.spec +++ b/qemu-kvm.spec @@ -1,4 +1,4 @@ -%define anolis_release .0.1 +%define anolis_release .0.2 %global SLOF_gittagdate 20191022 %global SLOF_gittagcommit 899d9883 @@ -986,6 +986,10 @@ Patch1089: 1089-target-i386-Add-new-CPU-model-GraniteRapids.patch Patch1090: 1090-target-i386-Add-support-for-AMX-COMPLEX-in-CPUID-enu.patch Patch1091: 1091-target-i386-Add-new-CPU-model-SierraForest.patch Patch1092: 1092-target-i386-Export-RFDS-bit-to-guests.patch +Patch1093: 1093-target-i386-Add-few-security-fix-bits-in-ARCH_CAPABI.patch +Patch1094: 1094-target-i386-Introduce-SapphireRapids-v3-to-add-missi.patch +Patch1095: 1095-ebpf-replace-deprecated-bpf_program__set_socket_filt.patch +Patch1096: 1096-target-i386-Export-MSR_ARCH_CAPABILITIES-bits-to-gue.patch BuildRequires: wget BuildRequires: rpm-build @@ -2224,6 +2228,9 @@ sh %{_sysconfdir}/sysconfig/modules/kvm.modules &> /dev/null || : %endif %changelog +* Wed Sep 11 2024 Quanxian Wang - 6.2.0-52.0.2 +- Intel-SIG: Supprt new SPR models + * Wed Aug 28 2024 Jacob Wang - 6.2.0-52.0.1 - Adjust limit for virtiofsd minor version - Add loongarch supporti (lixianglai@loongson.cn)