Bug#930408: stretch-pu: package libvirt/3.0.0-4+deb9u4
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi
this updates libvirt's cpu map to make addressing
CVE-2018-3639, CVE-2017-5753, CVE-2017-5715, CVE-2018-12126,
CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
easier for our users by supporting the md-clear, ssbd, spec-ctrl and
ibpb CPU features when picking CPU models without having to fall back to
host-passthrough. See
https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/
for details on how this works in libvirt.
Cheers,
-- Guido
-- System Information:
Debian Release: 10.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 198e75dcfe..04b7242746 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+libvirt (3.0.0-4+deb9u4) stretch; urgency=medium
+
+ * cpu_map: Define md-clear CPUID bit.
+ CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+ * Add spec-ctrl and ibpb CPU features and ibrs CPU models.
+ CVE-2017-5753, CVE-2017-5715
+ * Add ssbd CPU feature.
+ CVE-2018-3639
+
+ -- Guido Günther <agx@sigxcpu.org> Wed, 12 Jun 2019 10:13:38 +0200
+
libvirt (3.0.0-4+deb9u3) stretch-security; urgency=high
* gbp: switch branch to stretch
diff --git a/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
new file mode 100644
index 0000000000..048477b45f
--- /dev/null
+++ b/debian/patches/cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
@@ -0,0 +1,59 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Thu, 14 Jun 2018 11:12:59 +0100
+Subject: cpu: add 'amd-ssbd' and 'amd-no-ssb' CPU features (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+AMD x86 CPUs have two separate ways to mitigate the Speculative Store
+Bypass hardware flaw. In current processors only non-architectural MSRs
+are available, and so hypervisors must expose a virtualized MSR and CPU
+flag "virt-ssbd" (CPUID Function 8000_0008, EBX[25]=1).
+
+In future processors AMD will provide an architectural MSR, indicated by
+existance of the CPUID Function 8000_0008, EBX[24]=1, to which QEMU has
+given the name "amd-ssbd".
+
+The "amd-ssbd" flag should be used in preference to "virt-ssbd", if it
+is available, since it provides improved performance. For virtual
+machine configuration, both should be exposed when available, to allow
+for maximal guest OS compatibility as not all guests yet support both.
+
+If future processes are not vulnerable to the flaw, this will be
+indicated by the existance of CPUID Function 8000_0008, EBX[26]=1,
+to which QEMU has given the name "amd-no-ssb".
+
+See also 124441_AMD64_SpeculativeStoreBypassDisable_Whitepaper_final.pdf
+from:
+
+ https://bugzilla.kernel.org/show_bug.cgi?id=199889
+
+Note that neither amd-ssbd or amd-no-ssb will be reported by the kernel
+in /proc/cpuinfo. It knows about these CPUID bits and does the right thing,
+but doesn't report their existance as distinct flags in /proc/cpuinfo.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ src/cpu/cpu_map.xml | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 61542cf..2f109e4 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -424,9 +424,15 @@
+ <feature name='ibpb'>
+ <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+ </feature>
++ <feature name='amd-ssbd'>
++ <cpuid eax_in='0x80000008' ebx='0x01000000'/>
++ </feature>
+ <feature name='virt-ssbd'>
+ <cpuid eax_in='0x80000008' ebx='0x02000000'/>
+ </feature>
++ <feature name='amd-no-ssb'>
++ <cpuid eax_in='0x80000008' ebx='0x04000000'/>
++ </feature>
+
+ <!-- models -->
+ <model name='486'>
diff --git a/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
new file mode 100644
index 0000000000..f57eed9cfb
--- /dev/null
+++ b/debian/patches/cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -0,0 +1,31 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:07 +0100
+Subject: cpu: define the 'ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+New microcode introduces the "Speculative Store Bypass Disable"
+CPUID feature bit. This needs to be exposed to guest OS to allow
+them to protect against CVE-2018-3639.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index ec13299..a1a5da1 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -289,6 +289,9 @@
+ <feature name='spec-ctrl'>
+ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
+ </feature>
++ <feature name='ssbd'>
++ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/>
++ </feature>
+
+ <!-- Processor Extended State Enumeration sub leaf 1 -->
+ <feature name='xsaveopt'>
diff --git a/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch b/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
new file mode 100644
index 0000000000..bdb4b4f8a7
--- /dev/null
+++ b/debian/patches/cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
@@ -0,0 +1,41 @@
+From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com>
+Date: Mon, 21 May 2018 23:05:08 +0100
+Subject: cpu: define the 'virt-ssbd' CPUID feature bit (CVE-2018-3639)
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 8bit
+
+Some AMD processors only support a non-architectural means of
+enabling Speculative Store Bypass Disable. To allow simplified
+handling in virtual environments, hypervisors will expose an
+architectural definition through CPUID bit 0x80000008_EBX[25].
+This needs to be exposed to guest OS running on AMD x86 hosts to
+allow them to protect against CVE-2018-3639.
+
+Note that since this CPUID bit won't be present in the host CPUID
+results on physical hosts, it will not be enabled automatically
+in guests configured with "host-model" CPU unless using QEMU
+version >= 2.9.0. Thus for older versions of QEMU, this feature
+must be manually enabled using policy=force. Guests using the
+"host-passthrough" CPU mode do not need special handling.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index a1a5da1..61542cf 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -424,6 +424,9 @@
+ <feature name='ibpb'>
+ <cpuid eax_in='0x80000008' ebx='0x00001000'/>
+ </feature>
++ <feature name='virt-ssbd'>
++ <cpuid eax_in='0x80000008' ebx='0x02000000'/>
++ </feature>
+
+ <!-- models -->
+ <model name='486'>
diff --git a/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
index 85fd5b88f4..ff99099706 100644
--- a/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
+++ b/debian/patches/qemu-skip-QMP-probing-of-CPU-definitions-when-missing.patch
@@ -229,7 +229,7 @@ index faddd50..46aae4f 100644
<kvmVersion>0</kvmVersion>
<package></package>
diff --git a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
-index af21017..4c45b38 100644
+index af21017b..4c45b38 100644
--- a/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
+++ b/tests/qemucapabilitiesdata/caps_2.7.0.s390x.xml
@@ -127,6 +127,7 @@
diff --git a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
index f7277a7664..c4a026a206 100644
--- a/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
+++ b/debian/patches/security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
@@ -4,18 +4,19 @@ Subject: CVE-2018-1064: qemu: avoid denial of service reading from QEMU guest
agent
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
-Content-Transfer-Encoding: base64
+Content-Transfer-Encoding: 8bit
-V2UgcmVhZCBmcm9tIHRoZSBhZ2VudCB1bnRpbCBzZWVpbmcgYSBcclxuIHBhaXIgdG8gaW5kaWNh
-dGUgYSBjb21wbGV0ZWQKcmVwbHkgb3IgZXZlbnQuIFRvIGF2b2lkIG1lbW9yeSBkZW5pYWwtb2Yt
-c2VydmljZSB0aG91Z2gsIHdlIG11c3QgaGF2ZSBhCnNpemUgbGltaXQgb24gYW1vdW50IG9mIGRh
-dGEgd2UgYnVmZmVyLiAxMCBNQiBpcyBsYXJnZSBlbm91Z2ggdGhhdCBpdApvdWdodCB0byBjb3Bl
-IHdpdGggbm9ybWFsIGFnZW50IHJlcGxpZXMsIGFuZCBzbWFsbCBlbm91Z2ggdGhhdCB3ZSdyZSBu
-b3QKY29uc3VtaW5nIHVucmVhc29uYWJsZSBtZW0uCgpUaGlzIGlzIGlkZW50aWNhbCB0byB0aGUg
-ZmxhdyB3ZSBoYWQgcmVhZGluZyBmcm9tIHRoZSBRRU1VIG1vbml0b3IKYXMgQ1ZFLTIwMTgtNTc0
-OCwgc28gcmF0aGVyIGVtYmFycmFzc2luZyB0aGF0IHdlIGZvcmdvdCB0byBmaXgKdGhlIGFnZW50
-IGNvZGUgYXQgdGhlIHNhbWUgdGltZS4KClNpZ25lZC1vZmYtYnk6IERhbmllbCBQLiBCZXJyYW5n
-w6kgPGJlcnJhbmdlQHJlZGhhdC5jb20+Cg==
+We read from the agent until seeing a \r\n pair to indicate a completed
+reply or event. To avoid memory denial-of-service though, we must have a
+size limit on amount of data we buffer. 10 MB is large enough that it
+ought to cope with normal agent replies, and small enough that we're not
+consuming unreasonable mem.
+
+This is identical to the flaw we had reading from the QEMU monitor
+as CVE-2018-5748, so rather embarrassing that we forgot to fix
+the agent code at the same time.
+
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/qemu/qemu_agent.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..946c908e05
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Broadwell-IBRS-CPU-model.patch
@@ -0,0 +1,92 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Tue, 9 Jan 2018 21:36:28 +0100
+Subject: cpu: Add Broadwell-IBRS CPU model
+
+This is a variant of Broadwell with indirect branch prediction
+protection. The only difference between Broadwell and Broadwell-IBRS is
+the added "spec-ctrl" feature.
+
+The Broadwell-IBRS model in QEMU is a bit different since Broadwell got
+several additional features since we added it in cpu_map.xml:
+ abm, arat, f16c, rdrand, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 60 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 60 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 19d7944..28c1a1f 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1559,6 +1559,66 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='Broadwell-IBRS'>
++ <signature family='6' model='61'/>
++ <vendor name='Intel'/>
++ <feature name='3dnowprefetch'/>
++ <feature name='adx'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='avx2'/>
++ <feature name='bmi1'/>
++ <feature name='bmi2'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='fma'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='hle'/>
++ <feature name='invpcid'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='movbe'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pcid'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdseed'/>
++ <feature name='rdtscp'/>
++ <feature name='rtm'/>
++ <feature name='sep'/>
++ <feature name='smap'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='Skylake-Client'>
+ <signature family='6' model='94'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..c12422f0a7
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch
@@ -0,0 +1,91 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add Broadwell-noTSX-IBRS CPU model
+
+This is a variant of Broadwell-noTSX with indirect branch prediction
+protection. The only difference between Broadwell-noTSX and
+Broadwell-noTSX-IBRS is the added "spec-ctrl" feature.
+
+The Broadwell-noTSX-IBRS model in QEMU is a bit different since
+Broadwell-noTSX got several additional features since we added it in
+cpu_map.xml:
+ abm, arat, f16c, rdrand, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 58 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 58 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 21b89e9..19d7944 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1442,6 +1442,64 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='Broadwell-noTSX-IBRS'>
++ <signature family='6' model='61'/>
++ <vendor name='Intel'/>
++ <feature name='3dnowprefetch'/>
++ <feature name='adx'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='avx2'/>
++ <feature name='bmi1'/>
++ <feature name='bmi2'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='fma'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='invpcid'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='movbe'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pcid'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdseed'/>
++ <feature name='rdtscp'/>
++ <feature name='sep'/>
++ <feature name='smap'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='Broadwell'>
+ <signature family='6' model='61'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..17789f86c2
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Haswell-IBRS-CPU-model.patch
@@ -0,0 +1,88 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add Haswell-IBRS CPU model
+
+This is a variant of Haswell with indirect branch prediction protection.
+The only difference between Haswell and Haswell-IBRS is the added
+"spec-ctrl" feature.
+
+The Haswell-IBRS model in QEMU is a bit different since Haswell got
+several additional features since we added it in cpu_map.xml:
+ arat, abm, f16c, rdrand, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index ccfab9a..21b89e9 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1329,6 +1329,62 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='Haswell-IBRS'>
++ <signature family='6' model='60'/>
++ <vendor name='Intel'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='avx2'/>
++ <feature name='bmi1'/>
++ <feature name='bmi2'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='fma'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='hle'/>
++ <feature name='invpcid'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='movbe'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pcid'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdtscp'/>
++ <feature name='rtm'/>
++ <feature name='sep'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='Broadwell-noTSX'>
+ <signature family='6' model='61'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..518ce709cd
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch
@@ -0,0 +1,87 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Tue, 9 Jan 2018 20:40:03 +0100
+Subject: cpu: Add Haswell-noTSX-IBRS CPU model
+
+This is a variant of Haswell-noTSX with indirect branch prediction
+protection. The only difference between Haswell-noTSX and
+Haswell-noTSX-IBRS is the added "spec-ctrl" feature.
+
+The Haswell-noTSX-IBRS model in QEMU is a bit different since
+Haswell-noTSX got several additional features since we added it in
+cpu_map.xml:
+ arat, abm, f16c, rdrand, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 54 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 12485f2..ccfab9a 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1220,6 +1220,60 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='Haswell-noTSX-IBRS'>
++ <signature family='6' model='60'/>
++ <vendor name='Intel'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='avx2'/>
++ <feature name='bmi1'/>
++ <feature name='bmi2'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='fma'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='invpcid'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='movbe'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pcid'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdtscp'/>
++ <feature name='sep'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='Haswell'>
+ <signature family='6' model='60'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..5022f420d6
--- /dev/null
+++ b/debian/patches/security/cpu-Add-IvyBridge-IBRS-CPU-model.patch
@@ -0,0 +1,82 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add IvyBridge-IBRS CPU model
+
+This is a variant of IvyBridge with indirect branch prediction
+protection. The only difference between IvyBridge and IvyBridge-IBRS is
+the added "spec-ctrl" feature.
+
+The IvyBridge-IBRS model in QEMU is a bit different since IvyBridge got
+several additional features since we added it in cpu_map.xml:
+ arat, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 4c96193..12485f2 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1117,6 +1117,56 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='IvyBridge-IBRS'>
++ <signature family='6' model='58'/>
++ <vendor name='Intel'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='f16c'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdrand'/>
++ <feature name='rdtscp'/>
++ <feature name='sep'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='vme'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='Haswell-noTSX'>
+ <signature family='6' model='60'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..558b8fcddf
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Nehalem-IBRS-CPU-model.patch
@@ -0,0 +1,72 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add Nehalem-IBRS CPU model
+
+This is a variant of Nehalem with indirect branch prediction protection.
+The only difference between Nehalem and Nehalem-IBRS is the added
+"spec-ctrl" feature.
+
+Thus the diff matches QEMU, but the new CPU model itself is different.
+The QEMU's versions of both models contain "vme" feature, while this
+feature is missing in libvirt's models. While we can't change the
+existing Nehalem CPU model, we could add "vme" to Nehalem-IBRS to make
+it similar to QEMU, but doing so would fool our CPU detecting code so
+that any Nehalem CPU with "vme" feature would be detected as
+Nehalem-IBRS CPU without spec-ctrl. Not adding "vme" to Nehalem-IBRS is
+safe as QEMU will just provide the feature anyway, which matches what
+happens with Nehalem (and new enough machine types).
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 37 +++++++++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 4c68023..ee3dc06 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -869,6 +869,43 @@
+ <feature name='tsc'/>
+ </model>
+
++ <model name='Nehalem-IBRS'>
++ <signature family='6' model='26'/>
++ <vendor name='Intel'/>
++ <feature name='apic'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='fpu'/>
++ <feature name='fxsr'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='sep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ </model>
++
+ <model name='Westmere'>
+ <signature family='6' model='44'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..26cc566f54
--- /dev/null
+++ b/debian/patches/security/cpu-Add-SandyBridge-IBRS-CPU-model.patch
@@ -0,0 +1,76 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add SandyBridge-IBRS CPU model
+
+This is a variant of SandyBridge with indirect branch prediction
+protection. The only difference between SandyBridge and SandyBridge-IBRS
+is the added "spec-ctrl" feature.
+
+The SandyBridge-IBRS model in QEMU is a bit different since SandyBridge
+got several additional features since we added it in cpu_map.xml:
+ arat, vme, xsaveopt
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 44 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index c6f96a7..4c96193 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1024,6 +1024,50 @@
+ <feature name='xsave'/>
+ </model>
+
++ <model name='SandyBridge-IBRS'>
++ <signature family='6' model='42'/>
++ <vendor name='Intel'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='avx'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='fpu'/>
++ <feature name='fxsr'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdtscp'/>
++ <feature name='sep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='x2apic'/>
++ <feature name='xsave'/>
++ </model>
++
+ <model name='IvyBridge'>
+ <signature family='6' model='58'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..7f5da76a35
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch
@@ -0,0 +1,94 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Tue, 9 Jan 2018 21:41:31 +0100
+Subject: cpu: Add Skylake-Client-IBRS CPU model
+
+This is a variant of Skylake-Client with indirect branch prediction
+protection. The only difference between Skylake-Client and
+Skylake-Client-IBRS is the added "spec-ctrl" feature.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 69 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 69 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 28c1a1f..ec13299 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -1687,6 +1687,75 @@
+ <feature name='xsaveopt'/>
+ </model>
+
++ <model name='Skylake-Client-IBRS'>
++ <signature family='6' model='94'/>
++ <vendor name='Intel'/>
++ <feature name='3dnowprefetch'/>
++ <feature name='abm'/>
++ <feature name='adx'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='arat'/>
++ <feature name='avx'/>
++ <feature name='avx2'/>
++ <feature name='bmi1'/>
++ <feature name='bmi2'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='erms'/>
++ <feature name='f16c'/>
++ <feature name='fma'/>
++ <feature name='fpu'/>
++ <feature name='fsgsbase'/>
++ <feature name='fxsr'/>
++ <feature name='hle'/>
++ <feature name='invpcid'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='movbe'/>
++ <feature name='mpx'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pcid'/>
++ <feature name='pclmuldq'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='rdrand'/>
++ <feature name='rdseed'/>
++ <feature name='rdtscp'/>
++ <feature name='rtm'/>
++ <feature name='sep'/>
++ <feature name='smap'/>
++ <feature name='smep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ <feature name='tsc-deadline'/>
++ <feature name='vme'/>
++ <feature name='x2apic'/>
++ <feature name='xgetbv1'/>
++ <feature name='xsave'/>
++ <feature name='xsavec'/>
++ <feature name='xsaveopt'/>
++ </model>
++
+ <!-- AMD CPUs -->
+ <model name='athlon'>
+ <vendor name='AMD'/>
diff --git a/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch b/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch
new file mode 100644
index 0000000000..83a342ab31
--- /dev/null
+++ b/debian/patches/security/cpu-Add-Westmere-IBRS-CPU-model.patch
@@ -0,0 +1,70 @@
+From: Jiri Denemark <jdenemar@redhat.com>
+Date: Mon, 8 Jan 2018 20:53:25 +0100
+Subject: cpu: Add Westmere-IBRS CPU model
+
+This is a variant of Westmere with indirect branch prediction
+protection. The only difference between Westmere and Westmere-IBRS is
+the added "spec-ctrl" feature.
+
+The Westmere-IBRS model in QEMU is a bit different since Westmere got
+several additional features since we added it in cpu_map.xml:
+ arat, pclmuldq, vme
+
+Adding them only to the -IBRS variant would confuse our CPU detection
+code.
+
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 38 ++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 38 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index ee3dc06..c6f96a7 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -943,6 +943,44 @@
+ <feature name='tsc'/>
+ </model>
+
++ <model name='Westmere-IBRS'>
++ <signature family='6' model='44'/>
++ <vendor name='Intel'/>
++ <feature name='aes'/>
++ <feature name='apic'/>
++ <feature name='clflush'/>
++ <feature name='cmov'/>
++ <feature name='cx16'/>
++ <feature name='cx8'/>
++ <feature name='de'/>
++ <feature name='fpu'/>
++ <feature name='fxsr'/>
++ <feature name='lahf_lm'/>
++ <feature name='lm'/>
++ <feature name='mca'/>
++ <feature name='mce'/>
++ <feature name='mmx'/>
++ <feature name='msr'/>
++ <feature name='mtrr'/>
++ <feature name='nx'/>
++ <feature name='pae'/>
++ <feature name='pat'/>
++ <feature name='pge'/>
++ <feature name='pni'/>
++ <feature name='popcnt'/>
++ <feature name='pse'/>
++ <feature name='pse36'/>
++ <feature name='sep'/>
++ <feature name='spec-ctrl'/>
++ <feature name='sse'/>
++ <feature name='sse2'/>
++ <feature name='sse4.1'/>
++ <feature name='sse4.2'/>
++ <feature name='ssse3'/>
++ <feature name='syscall'/>
++ <feature name='tsc'/>
++ </model>
++
+ <model name='SandyBridge'>
+ <signature family='6' model='42'/>
+ <vendor name='Intel'/>
diff --git a/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch b/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch
new file mode 100644
index 0000000000..7b268da568
--- /dev/null
+++ b/debian/patches/security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch
@@ -0,0 +1,39 @@
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 12 Dec 2017 16:23:42 +0100
+Subject: cpu: add CPU features for indirect branch prediction protection
+
+Added in QEMU commits TBD and TBD.
+
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Jiri Denemark <jdenemar@redhat.com>
+Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
+---
+ src/cpu/cpu_map.xml | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 1269eb0..4c68023 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -286,6 +286,9 @@
+ <feature name='md-clear'> <!-- md_clear -->
+ <cpuid eax_in='0x07' edx='0x00000400'/>
+ </feature>
++ <feature name='spec-ctrl'>
++ <cpuid eax_in='0x07' ecx_in='0x00' edx='0x04000000'/>
++ </feature>
+
+ <!-- Processor Extended State Enumeration sub leaf 1 -->
+ <feature name='xsaveopt'>
+@@ -414,6 +417,11 @@
+ <cpuid eax_in='0x80000007' edx='0x00000100'/>
+ </feature>
+
++ <!-- More AMD-specific features -->
++ <feature name='ibpb'>
++ <cpuid eax_in='0x80000008' ebx='0x00001000'/>
++ </feature>
++
+ <!-- models -->
+ <model name='486'>
+ <feature name='fpu'/>
diff --git a/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch b/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch
new file mode 100644
index 0000000000..2f1ebd75aa
--- /dev/null
+++ b/debian/patches/security/cpu_map-Define-md-clear-CPUID-bit.patch
@@ -0,0 +1,28 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
+Date: Sun, 9 Jun 2019 13:10:51 +0200
+Subject: cpu_map: Define md-clear CPUID bit
+
+CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091
+
+The bit is set when microcode provides the mechanism to invoke a flush
+of various exploitable CPU buffers by invoking the VERW instruction.
+
+This is a backport of upstream commit 538d873571d7a682852dc1d70e5f4478f4d64e85
+---
+ src/cpu/cpu_map.xml | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/cpu/cpu_map.xml b/src/cpu/cpu_map.xml
+index 7d5540a..1269eb0 100644
+--- a/src/cpu/cpu_map.xml
++++ b/src/cpu/cpu_map.xml
+@@ -283,6 +283,9 @@
+ <feature name='avx512-4fmaps'>
+ <cpuid eax_in='0x07' edx='0x00000008'/>
+ </feature>
++ <feature name='md-clear'> <!-- md_clear -->
++ <cpuid eax_in='0x07' edx='0x00000400'/>
++ </feature>
+
+ <!-- Processor Extended State Enumeration sub leaf 1 -->
+ <feature name='xsaveopt'>
diff --git a/debian/patches/series b/debian/patches/series
index 75c51eca9b..7ee68c860c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -27,3 +27,17 @@ qemu-shared-disks-with-cache-directsync-should-be-safe-fo.patch
qemu-avoid-denial-of-service-reading-from-QEMU-monitor-CV.patch
security/CVE-2018-1064-qemu-avoid-denial-of-service-reading-from-Q.patch
security/CVE-2018-6764-virlog-determine-the-hostname-on-startup.patch
+security/cpu_map-Define-md-clear-CPUID-bit.patch
+security/cpu-add-CPU-features-for-indirect-branch-prediction-prote.patch
+security/cpu-Add-Nehalem-IBRS-CPU-model.patch
+security/cpu-Add-Westmere-IBRS-CPU-model.patch
+security/cpu-Add-SandyBridge-IBRS-CPU-model.patch
+security/cpu-Add-IvyBridge-IBRS-CPU-model.patch
+security/cpu-Add-Haswell-noTSX-IBRS-CPU-model.patch
+security/cpu-Add-Haswell-IBRS-CPU-model.patch
+security/cpu-Add-Broadwell-noTSX-IBRS-CPU-model.patch
+security/cpu-Add-Broadwell-IBRS-CPU-model.patch
+security/cpu-Add-Skylake-Client-IBRS-CPU-model.patch
+cpu-define-the-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
+cpu-define-the-virt-ssbd-CPUID-feature-bit-CVE-2018-3639.patch
+cpu-add-amd-ssbd-and-amd-no-ssb-CPU-features-CVE-2018-363.patch
Reply to: