Add ssbd and virt-ssbd flags to cpu_model_extra_flags whitelist
This adds two other flags to the whitelist of available options to
the cpu_model_extra_flags variable related to further variants of
Meltdown/Spectre recently published.
Related-Bug: #1750829
Change-Id: I72085016c8756ff88a4da722368f62359bcd7080
(cherry picked from commit a27ea0f910
)
This commit is contained in:
parent
a0bcc6bda0
commit
c18cd38d4d
|
@ -520,7 +520,7 @@ Related options:
|
|||
cfg.ListOpt(
|
||||
'cpu_model_extra_flags',
|
||||
item_type=types.String(
|
||||
choices=['pcid'],
|
||||
choices=['pcid', 'ssbd', 'virt-ssbd'],
|
||||
ignore_case=True,
|
||||
),
|
||||
default=[],
|
||||
|
@ -535,13 +535,16 @@ virtual CPU model::
|
|||
cpu_model = IvyBridge
|
||||
cpu_model_extra_flags = pcid
|
||||
|
||||
Currently, the choice is restricted to only one option: ``pcid`` (the
|
||||
option is case-insensitive, so ``PCID`` is also valid). This flag is
|
||||
now required to address the guest performance degradation as a result of
|
||||
applying the "Meltdown" CVE fixes on certain Intel CPU models.
|
||||
Currently, the choice is restricted to a few options: ``pcid``,
|
||||
``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
|
||||
``PCID`` is also valid, for example). These flags are now required to
|
||||
address the guest performance degradation as a result of applying the
|
||||
"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
|
||||
``virt-ssbd``) on affected CPU models.
|
||||
|
||||
Note that when using this config attribute to set the 'PCID' CPU flag,
|
||||
not all virtual (i.e. libvirt / QEMU) CPU models need it:
|
||||
Note that when using this config attribute to set the 'PCID' and
|
||||
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
|
||||
need it:
|
||||
|
||||
* The only virtual CPU models that include the 'PCID' capability are
|
||||
Intel "Haswell", "Broadwell", and "Skylake" variants.
|
||||
|
@ -551,6 +554,13 @@ not all virtual (i.e. libvirt / QEMU) CPU models need it:
|
|||
even if the host CPUs by the same name include it. I.e. 'PCID' needs
|
||||
to be explicitly specified when using the said virtual CPU models.
|
||||
|
||||
For more information about ``ssbd`` and ``virt-ssbd`` applicability,
|
||||
please refer to the following security updates:
|
||||
|
||||
https://www.us-cert.gov/ncas/alerts/TA18-141A
|
||||
|
||||
https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
|
||||
|
||||
For now, the ``cpu_model_extra_flags`` config attribute is valid only in
|
||||
combination with ``cpu_mode`` + ``cpu_model`` options.
|
||||
|
||||
|
|
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
security:
|
||||
- |
|
||||
The 'SSBD' and 'VIRT-SSBD' cpu flags have been added to the list
|
||||
of available choices for the ``[libvirt]/cpu_model_extra_flags``
|
||||
config option. These are important for proper mitigation of the
|
||||
Spectre 3a and 4 CVEs. Note that the use of either of these flags
|
||||
require updated packages below nova, including libvirt, qemu
|
||||
(specifically >=2.9.0 for virt-ssbd), linux, and system
|
||||
firmware. For more information see
|
||||
https://www.us-cert.gov/ncas/alerts/TA18-141A
|
Loading…
Reference in New Issue