[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags
Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.
Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
Closes-Bug: #1777460
(cherry picked from commit f8aca778f7)
This commit is contained in:
Dan Smith
parent
2c9c4a09cb
commit
682ee60803
|
|
@ -518,7 +518,7 @@ Related options:
|
||||||
cfg.ListOpt(
|
cfg.ListOpt(
|
||||||
'cpu_model_extra_flags',
|
'cpu_model_extra_flags',
|
||||||
item_type=types.String(
|
item_type=types.String(
|
||||||
choices=['pcid', 'ssbd', 'virt-ssbd'],
|
choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'],
|
||||||
ignore_case=True,
|
ignore_case=True,
|
||||||
),
|
),
|
||||||
default=[],
|
default=[],
|
||||||
|
|
@ -534,11 +534,11 @@ virtual CPU model::
|
||||||
cpu_model_extra_flags = pcid
|
cpu_model_extra_flags = pcid
|
||||||
|
|
||||||
Currently, the choice is restricted to a few options: ``pcid``,
|
Currently, the choice is restricted to a few options: ``pcid``,
|
||||||
``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
|
``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options
|
||||||
``PCID`` is also valid, for example). These flags are now required to
|
are case-insensitive, so ``PCID`` is also valid, for example). These
|
||||||
address the guest performance degradation as a result of applying the
|
flags are now required to address the guest performance degradation as
|
||||||
"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
|
a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure
|
||||||
``virt-ssbd``) on affected CPU models.
|
mitigation (``ssbd`` and related options) on affected CPU models.
|
||||||
|
|
||||||
Note that when using this config attribute to set the 'PCID' and
|
Note that when using this config attribute to set the 'PCID' and
|
||||||
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
|
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
|
||||||
|
|
@ -552,13 +552,15 @@ need it:
|
||||||
even if the host CPUs by the same name include it. I.e. 'PCID' needs
|
even if the host CPUs by the same name include it. I.e. 'PCID' needs
|
||||||
to be explicitly specified when using the said virtual CPU models.
|
to be explicitly specified when using the said virtual CPU models.
|
||||||
|
|
||||||
For more information about ``ssbd`` and ``virt-ssbd`` applicability,
|
For more information about ``ssbd`` and related options,
|
||||||
please refer to the following security updates:
|
please refer to the following security updates:
|
||||||
|
|
||||||
https://www.us-cert.gov/ncas/alerts/TA18-141A
|
https://www.us-cert.gov/ncas/alerts/TA18-141A
|
||||||
|
|
||||||
https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
|
https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
|
||||||
|
|
||||||
|
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
|
||||||
|
|
||||||
For now, the ``cpu_model_extra_flags`` config attribute is valid only in
|
For now, the ``cpu_model_extra_flags`` config attribute is valid only in
|
||||||
combination with ``cpu_mode`` + ``cpu_model`` options.
|
combination with ``cpu_mode`` + ``cpu_model`` options.
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,8 @@
|
||||||
|
---
|
||||||
|
security:
|
||||||
|
- |
|
||||||
|
The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available
|
||||||
|
choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are
|
||||||
|
important for proper mitigation of security issues in AMD CPUs. For more
|
||||||
|
information see
|
||||||
|
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
|
||||||
Loading…
Reference in New Issue