Mitigation for Foreshadow/L1TF - CVE-2018-3646, with thanks to Joyent. This includes a CPU microcode update.

For full protection from this problem, ensure that sensitive services, including KVM instances, are separated into different non-global zones.