I run KVM on a host with a Xeon X5650 (Westmere) processor and normally launch qemu-system-x86_64 with the following CPU parameters:- -cpu Westmere,+spec-ctrl,+pcid Before applying the attached patch to qemu-2.12.0-r5, the reported CPU vulnerability status in a guest running "install-amd64-minimal-20180812T214502Z.iso" was as follows:- # cd /sys/devices/system/cpu/vulnerabilities # grep . * l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable meltdown:Mitigation: PTI spec_store_bypass:Vulnerable spectre_v1:Mitigation: __user pointer sanitization spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW After applying the patch and adding +ssbd to the -cpu flags:- l1tf:Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable meltdown:Mitigation: PTI spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp spectre_v1:Mitigation: __user pointer sanitization spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW See also bug 663502 and bug 664052.
Created attachment 544028 [details, diff] qemu-9802316ed6...403503b162.patch Patch to support "ssbd" as a CPUID flag.
I meant to write qemu-2.12.0-r4 there; -r5 is the revision in my personal overlay.