[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags

Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.

Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
Closes-Bug: #1777460
(cherry picked from commit f8aca778f7)
(cherry picked from commit 682ee60803)
This commit is contained in:
Dan Smith 2018-06-18 14:13:29 -07:00 committed by Elod Illes
parent a0b74ff12a
commit c85f5e22e1
2 changed files with 17 additions and 7 deletions

View File

@ -520,7 +520,7 @@ Related options:
cfg.ListOpt(
'cpu_model_extra_flags',
item_type=types.String(
choices=['pcid', 'ssbd', 'virt-ssbd'],
choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'],
ignore_case=True,
),
default=[],
@ -536,11 +536,11 @@ virtual CPU model::
cpu_model_extra_flags = pcid
Currently, the choice is restricted to a few options: ``pcid``,
``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
``PCID`` is also valid, for example). These flags are now required to
address the guest performance degradation as a result of applying the
"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
``virt-ssbd``) on affected CPU models.
``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options
are case-insensitive, so ``PCID`` is also valid, for example). These
flags are now required to address the guest performance degradation as
a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure
mitigation (``ssbd`` and related options) on affected CPU models.
Note that when using this config attribute to set the 'PCID' and
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
@ -554,13 +554,15 @@ need it:
even if the host CPUs by the same name include it. I.e. 'PCID' needs
to be explicitly specified when using the said virtual CPU models.
For more information about ``ssbd`` and ``virt-ssbd`` applicability,
For more information about ``ssbd`` and related options,
please refer to the following security updates:
https://www.us-cert.gov/ncas/alerts/TA18-141A
https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
For now, the ``cpu_model_extra_flags`` config attribute is valid only in
combination with ``cpu_mode`` + ``cpu_model`` options.

View File

@ -0,0 +1,8 @@
---
security:
- |
The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available
choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are
important for proper mitigation of security issues in AMD CPUs. For more
information see
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html