Some AMD processors only support a non-architectural means of enabling Speculative Store Bypass Disable. To allow simplified handling in virtual environments, hypervisors will expose an architectural definition through CPUID bit 0x80000008_EBX[25]. This needs to be exposed to guest OS running on AMD x86 hosts to allow them to protect against CVE-2018-3639. Note that since this CPUID bit won't be present in the host CPUID results on physical hosts, it will not be enabled automatically in guests configured with "host-model" CPU unless using QEMU version >= 2.9.0. Thus for older versions of QEMU, this feature must be manually enabled using policy=force. Guests using the "host-passthrough" CPU mode do not need special handling. Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> --- src/cpu/cpu_map.xml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml index 245aec3309..96daa0f9af 100644 --- a/src/cpu/cpu_map.xml +++ b/src/cpu/cpu_map.xml @@ -433,6 +433,9 @@ <feature name='ibpb'> <cpuid eax_in='0x80000008' ebx='0x00001000'/> </feature> + <feature name='virt-ssbd'> + <cpuid eax_in='0x80000008' ebx='0x02000000'/> + </feature> <!-- models --> <model name='486'> -- 2.17.0 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list