Qubes/core-admin
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Do not announce RDRAND instruction on Ivy Bridge

Browse Source 
XSA-320 / CVE-2020-0543 affects Ivy Bridge and later platforms, but a
fix (microcode update) won't be available for Ivy Bridge. Disable
affected instruction (do not announce it in CPUID - complying software
should not use it then).
This commit is contained in:
Marek Marczykowski-Górecki 2020-06-10 05:47:53 +02:00
parent 47d4030bdb
commit dc1b3b4d86
No known key found for this signature in database
GPG Key ID: 063938BA42CFA724
3 changed files with 27 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
qubes/app.py
View File

@ -265,6 +265,8 @@ class QubesHost:
self._no_cpus = None self._no_cpus = None
self._total_mem = None self._total_mem = None
self._physinfo = None self._physinfo = None
self._cpu_family = None
self._cpu_model = None
def _fetch(self): def _fetch(self):
if self._no_cpus is not None: if self._no_cpus is not None:
@ -303,6 +305,27 @@ class QubesHost:
self._fetch() self._fetch()
return self._no_cpus return self._no_cpus
@property
def cpu_family_model(self):
"""Get CPU family and model"""
if self._cpu_family is None or self._cpu_model is None:
family = None
model = None
with open('/proc/cpuinfo') as cpuinfo:
for line in cpuinfo.readlines():
line = line.strip()
if not line:
# take info from the first core
break
field, value = line.split(':', 1)
if field.strip() == 'model':
model = int(value.strip())
elif field.strip() == 'cpu family':
family = int(value.strip())
self._cpu_family = family
self._cpu_model = model
return self._cpu_family, self._cpu_model
def get_free_xen_memory(self): def get_free_xen_memory(self):
"""Get free memory from Xen's physinfo. """Get free memory from Xen's physinfo.

1
qubes/tests/vm/__init__.py
View File

@ -46,6 +46,7 @@ class TestHost(object):
def __init__(self): def __init__(self):
self.memory_total = 1000 * 1024 self.memory_total = 1000 * 1024
self.no_cpus = 4 self.no_cpus = 4
self.cpu_family_model = (6, 6)
class TestVMsCollection(dict): class TestVMsCollection(dict):
def get_vms_connected_to(self, vm): def get_vms_connected_to(self, vm):

3
templates/libvirt/xen.xml
View File

@ -19,6 +19,9 @@
<feature name='svm' policy='disable'/> <feature name='svm' policy='disable'/>
<!-- disable SMAP inside VM, because of Linux bug --> <!-- disable SMAP inside VM, because of Linux bug -->
<feature name='smap' policy='disable'/> <feature name='smap' policy='disable'/>
{% if vm.app.host.cpu_family_model in [(6, 58), (6, 62)] -%}
<feature name='rdrand' policy='disable'/>
{% endif -%}
</cpu> </cpu>
{% endif %} {% endif %}
{% endblock %} {% endblock %}