In order to support Spectre v2 mitigation in Windows guests, I believe the microcoded mitigation features (IBPB and IBRS) need to be exposed to them. This may also be useful for Linux guests using OVMF, unless it is rebuilt with the retpoline mitigation. The kernel side of this in KVM was already implemented in version 4.9.82-1+deb9u1, although the microcode updates are not yet in stable. libvirt and qemu (and maybe other related packages) also need to be updated so that they recognise and enable the new CPU feature bits for guests. Is this likely to be doable? Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody.
Attachment:
signature.asc
Description: This is a digitally signed message part