diff --git a/nova/conf/libvirt.py b/nova/conf/libvirt.py
index 6b0dc3ffec13..882cea978f77 100644
--- a/nova/conf/libvirt.py
+++ b/nova/conf/libvirt.py
@@ -524,7 +524,7 @@ would result in an error and the instance launch will fail.
     cfg.ListOpt(
         'cpu_model_extra_flags',
         item_type=types.String(
-            choices=['pcid'],
+            choices=['pcid', 'ssbd', 'virt-ssbd'],
             ignore_case=True,
         ),
         default=[],
@@ -539,13 +539,16 @@ virtual CPU model::
     cpu_model = IvyBridge
     cpu_model_extra_flags = pcid
 
-Currently, the choice is restricted to only one option: ``pcid`` (the
-option is case-insensitive, so ``PCID`` is also valid).  This flag is
-now required to address the guest performance degradation as a result of
-applying the "Meltdown" CVE fixes on certain Intel CPU models.
+Currently, the choice is restricted to a few options: ``pcid``,
+``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
+``PCID`` is also valid, for example).  These flags are now required to
+address the guest performance degradation as a result of applying the
+"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
+``virt-ssbd``) on affected CPU models.
 
-Note that when using this config attribute to set the 'PCID' CPU flag,
-not all virtual (i.e. libvirt / QEMU) CPU models need it:
+Note that when using this config attribute to set the 'PCID' and
+related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
+need it:
 
 * The only virtual CPU models that include the 'PCID' capability are
   Intel "Haswell", "Broadwell", and "Skylake" variants.
@@ -555,6 +558,13 @@ not all virtual (i.e. libvirt / QEMU) CPU models need it:
   even if the host CPUs by the same name include it.  I.e.  'PCID' needs
   to be explicitly specified when using the said virtual CPU models.
 
+For more information about ``ssbd`` and ``virt-ssbd`` applicability,
+please refer to the following security updates:
+
+https://www.us-cert.gov/ncas/alerts/TA18-141A
+
+https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
+
 For now, the ``cpu_model_extra_flags`` config attribute is valid only in
 combination with ``cpu_mode`` + ``cpu_model`` options.
 
diff --git a/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml b/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
new file mode 100644
index 000000000000..5bcb5e27dbe2
--- /dev/null
+++ b/releasenotes/notes/libvirt-cpu-model-extra-flags-ssbd-fdbda6e4da495915.yaml
@@ -0,0 +1,11 @@
+---
+security:
+  - |
+    The 'SSBD' and 'VIRT-SSBD' cpu flags have been added to the list
+    of available choices for the ``[libvirt]/cpu_model_extra_flags``
+    config option. These are important for proper mitigation of the
+    Spectre 3a and 4 CVEs. Note that the use of either of these flags
+    require updated packages below nova, including libvirt, qemu
+    (specifically >=2.9.0 for virt-ssbd), linux, and system
+    firmware. For more information see
+    https://www.us-cert.gov/ncas/alerts/TA18-141A
\ No newline at end of file