Add ssbd and virt-ssbd flags to cpu_model_extra_flags whitelist

This adds two other flags to the whitelist of available options to the cpu_model_extra_flags variable related to further variants of Meltdown/Spectre recently published. Related-Bug: #1750829 Change-Id: I72085016c8756ff88a4da722368f62359bcd7080 (cherry picked from commit a27ea0f910)
2018-05-23 15:21:38 -07:00 · 2018-05-23 15:21:38 -07:00 · c18cd38d4d
parent a0bcc6bda0
commit c18cd38d4d
2 changed files with 28 additions and 7 deletions
--- a/nova/conf/libvirt.py
+++ b/nova/conf/libvirt.py
@ -520,7 +520,7 @@ Related options:
    cfg.ListOpt(
        'cpu_model_extra_flags',
        item_type=types.String(
-            choices=['pcid'],
+            choices=['pcid', 'ssbd', 'virt-ssbd'],
            ignore_case=True,
        ),
        default=[],
@ -535,13 +535,16 @@ virtual CPU model::
    cpu_model = IvyBridge
    cpu_model_extra_flags = pcid

-Currently, the choice is restricted to only one option: ``pcid`` (the
-option is case-insensitive, so ``PCID`` is also valid).  This flag is
-now required to address the guest performance degradation as a result of
-applying the "Meltdown" CVE fixes on certain Intel CPU models.
+Currently, the choice is restricted to a few options: ``pcid``,
+``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
+``PCID`` is also valid, for example).  These flags are now required to
+address the guest performance degradation as a result of applying the
+"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
+``virt-ssbd``) on affected CPU models.

-Note that when using this config attribute to set the 'PCID' CPU flag,
-not all virtual (i.e. libvirt / QEMU) CPU models need it:
+Note that when using this config attribute to set the 'PCID' and
+related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
+need it:

 * The only virtual CPU models that include the 'PCID' capability are
  Intel "Haswell", "Broadwell", and "Skylake" variants.
@ -551,6 +554,13 @@ not all virtual (i.e. libvirt / QEMU) CPU models need it:
  even if the host CPUs by the same name include it.  I.e.  'PCID' needs
  to be explicitly specified when using the said virtual CPU models.

+For more information about ``ssbd`` and ``virt-ssbd`` applicability,
+please refer to the following security updates:
+
+https://www.us-cert.gov/ncas/alerts/TA18-141A
+
+https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
+
 For now, the ``cpu_model_extra_flags`` config attribute is valid only in
 combination with ``cpu_mode`` + ``cpu_model`` options.

--- a/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
+++ b/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
@ -0,0 +1,11 @@
+---
+security:
+  - |
+    The 'SSBD' and 'VIRT-SSBD' cpu flags have been added to the list
+    of available choices for the ``[libvirt]/cpu_model_extra_flags``
+    config option. These are important for proper mitigation of the
+    Spectre 3a and 4 CVEs. Note that the use of either of these flags
+    require updated packages below nova, including libvirt, qemu
+    (specifically >=2.9.0 for virt-ssbd), linux, and system
+    firmware. For more information see
+    https://www.us-cert.gov/ncas/alerts/TA18-141A