On Wed, Jan 10, 2018 at 11:22:12 +0000, Daniel P. Berrange wrote: > On Tue, Jan 09, 2018 at 11:45:13PM +0100, Jiri Denemark wrote: > > This is the libvirt's part of the changes related to CVE-2017-5715. The > > new models can be used to pass the protective CPU features to guests. > > But remember, the host CPU microcode, host kernel, QEMU, and libvirt all > > need to be updated for this to be any useful. > > > > Based on a patch from Paolo Bonzini. > > You likely also want this pre-requisite series for libvirt: > > https://www.redhat.com/archives/libvir-list/2018-January/msg00114.html > > This ensures libvirt's cache of QEMU CPU model info is updated when the > host CPU microcode changes. Without that patch, libvirt might not pick > up the changed QEMU CPU models if the microcode update RPM was installed > after the updated QEMU RPM. Oh yes, I wanted to mention this, but I forgot to do so :( You may also need some patches from another series (which I've just pushed): https://www.redhat.com/archives/libvir-list/2018-January/msg00237.html The first patch is needed for all the new tests to pass. And the third patch is needed if the new CPU models are defined via inheritance rather than from scratch. This is not an issue for the patches in this series, but some downstreams might have decided to do just that. Jirka -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list