summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Smith <dansmith@redhat.com>2018-05-23 15:21:38 -0700
committerDan Smith <dansmith@redhat.com>2018-05-24 09:34:18 -0700
commita27ea0f9100d0061c1cf3b20407095d3cd04df26 (patch)
tree276731be81181a32bb8e9acde3d905317b363515
parent7b4dcb52934a78b65f253a0e15fd1168289613e7 (diff)
Add ssbd and virt-ssbd flags to cpu_model_extra_flags whiteliststable/queens
This adds two other flags to the whitelist of available options to the cpu_model_extra_flags variable related to further variants of Meltdown/Spectre recently published. Related-Bug: #1750829 Change-Id: I72085016c8756ff88a4da722368f62359bcd7080
Notes
Notes (review): Code-Review+2: Matt Riedemann <mriedem.os@gmail.com> Code-Review+2: Tony Breeds <tony@bakeyournoodle.com> Workflow+1: Tony Breeds <tony@bakeyournoodle.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 25 May 2018 01:47:05 +0000 Reviewed-on: https://review.openstack.org/570271 Project: openstack/nova Branch: refs/heads/stable/queens
-rw-r--r--nova/conf/libvirt.py24
-rw-r--r--releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml11
2 files changed, 28 insertions, 7 deletions
diff --git a/nova/conf/libvirt.py b/nova/conf/libvirt.py
index 6b0dc3f..882cea9 100644
--- a/nova/conf/libvirt.py
+++ b/nova/conf/libvirt.py
@@ -524,7 +524,7 @@ would result in an error and the instance launch will fail.
524 cfg.ListOpt( 524 cfg.ListOpt(
525 'cpu_model_extra_flags', 525 'cpu_model_extra_flags',
526 item_type=types.String( 526 item_type=types.String(
527 choices=['pcid'], 527 choices=['pcid', 'ssbd', 'virt-ssbd'],
528 ignore_case=True, 528 ignore_case=True,
529 ), 529 ),
530 default=[], 530 default=[],
@@ -539,13 +539,16 @@ virtual CPU model::
539 cpu_model = IvyBridge 539 cpu_model = IvyBridge
540 cpu_model_extra_flags = pcid 540 cpu_model_extra_flags = pcid
541 541
542Currently, the choice is restricted to only one option: ``pcid`` (the 542Currently, the choice is restricted to a few options: ``pcid``,
543option is case-insensitive, so ``PCID`` is also valid). This flag is 543``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
544now required to address the guest performance degradation as a result of 544``PCID`` is also valid, for example). These flags are now required to
545applying the "Meltdown" CVE fixes on certain Intel CPU models. 545address the guest performance degradation as a result of applying the
546"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
547``virt-ssbd``) on affected CPU models.
546 548
547Note that when using this config attribute to set the 'PCID' CPU flag, 549Note that when using this config attribute to set the 'PCID' and
548not all virtual (i.e. libvirt / QEMU) CPU models need it: 550related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
551need it:
549 552
550* The only virtual CPU models that include the 'PCID' capability are 553* The only virtual CPU models that include the 'PCID' capability are
551 Intel "Haswell", "Broadwell", and "Skylake" variants. 554 Intel "Haswell", "Broadwell", and "Skylake" variants.
@@ -555,6 +558,13 @@ not all virtual (i.e. libvirt / QEMU) CPU models need it:
555 even if the host CPUs by the same name include it. I.e. 'PCID' needs 558 even if the host CPUs by the same name include it. I.e. 'PCID' needs
556 to be explicitly specified when using the said virtual CPU models. 559 to be explicitly specified when using the said virtual CPU models.
557 560
561For more information about ``ssbd`` and ``virt-ssbd`` applicability,
562please refer to the following security updates:
563
564https://www.us-cert.gov/ncas/alerts/TA18-141A
565
566https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
567
558For now, the ``cpu_model_extra_flags`` config attribute is valid only in 568For now, the ``cpu_model_extra_flags`` config attribute is valid only in
559combination with ``cpu_mode`` + ``cpu_model`` options. 569combination with ``cpu_mode`` + ``cpu_model`` options.
560 570
diff --git a/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml b/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
new file mode 100644
index 0000000..5bcb5e2
--- /dev/null
+++ b/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
@@ -0,0 +1,11 @@
1---
2security:
3 - |
4 The 'SSBD' and 'VIRT-SSBD' cpu flags have been added to the list
5 of available choices for the ``[libvirt]/cpu_model_extra_flags``
6 config option. These are important for proper mitigation of the
7 Spectre 3a and 4 CVEs. Note that the use of either of these flags
8 require updated packages below nova, including libvirt, qemu
9 (specifically >=2.9.0 for virt-ssbd), linux, and system
10 firmware. For more information see
11 https://www.us-cert.gov/ncas/alerts/TA18-141A \ No newline at end of file