Do not announce RDRAND instruction on Ivy Bridge

XSA-320 / CVE-2020-0543 affects Ivy Bridge and later platforms, but a
fix (microcode update) won't be available for Ivy Bridge. Disable
affected instruction (do not announce it in CPUID - complying software
should not use it then).

qubes/app.py

@@ -265,6 +265,8 @@ class QubesHost:
         self._no_cpus = None
         self._total_mem = None
         self._physinfo = None
+        self._cpu_family = None
+        self._cpu_model = None
 
     def _fetch(self):
         if self._no_cpus is not None:
@@ -303,6 +305,27 @@ class QubesHost:
         self._fetch()
         return self._no_cpus
 
+    @property
+    def cpu_family_model(self):
+        """Get CPU family and model"""
+        if self._cpu_family is None or self._cpu_model is None:
+            family = None
+            model = None
+            with open('/proc/cpuinfo') as cpuinfo:
+                for line in cpuinfo.readlines():
+                    line = line.strip()
+                    if not line:
+                        # take info from the first core
+                        break
+                    field, value = line.split(':', 1)
+                    if field.strip() == 'model':
+                        model = int(value.strip())
+                    elif field.strip() == 'cpu family':
+                        family = int(value.strip())
+            self._cpu_family = family
+            self._cpu_model = model
+        return self._cpu_family, self._cpu_model
+
     def get_free_xen_memory(self):
         """Get free memory from Xen's physinfo.
 

qubes/tests/vm/__init__.py

@@ -46,6 +46,7 @@ class TestHost(object):
     def __init__(self):
         self.memory_total = 1000 * 1024
         self.no_cpus = 4
+        self.cpu_family_model = (6, 6)
 
 class TestVMsCollection(dict):
     def get_vms_connected_to(self, vm):

templates/libvirt/xen.xml

@@ -19,6 +19,9 @@
             <feature name='svm' policy='disable'/>
             <!-- disable SMAP inside VM, because of Linux bug -->
             <feature name='smap' policy='disable'/>
+            {% if vm.app.host.cpu_family_model in [(6, 58), (6, 62)] -%}
+                <feature name='rdrand' policy='disable'/>
+            {% endif -%}
         </cpu>
     {% endif %}
     {% endblock %}