|
 |
e4cbec |
From a6380fb8faccbd58188d3f5c93553a2e625bf29d Mon Sep 17 00:00:00 2001
|
|
|
e4cbec |
Message-Id: <a6380fb8faccbd58188d3f5c93553a2e625bf29d@dist-git>
|
|
|
e4cbec |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
Date: Tue, 9 Apr 2019 13:13:46 +0200
|
|
|
e4cbec |
Subject: [PATCH] DomainCpu: fix detection of CPU security features
|
|
|
e4cbec |
|
|
|
e4cbec |
VM configured with mode="host-model" will have the CPU definition
|
|
|
e4cbec |
expanded once the VM is started. Libvirt will try to use the closest
|
|
|
e4cbec |
CPU model with some features enabled/disabled.
|
|
|
e4cbec |
|
|
|
e4cbec |
The issue is that there are some models that include spec-ctrl or ibpb
|
|
|
e4cbec |
features and they will not appear in the explicit list of features and
|
|
|
e4cbec |
virt-manager will not correctly detect if all security features are
|
|
|
e4cbec |
enabled or not. As a workaround we can check the suffix of CPU model to
|
|
|
e4cbec |
figure out which security features are enabled by the model itself.
|
|
|
e4cbec |
|
|
|
e4cbec |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
(cherry picked from commit 291f2ef21486cb54aadd40f07052aedfebef3792)
|
|
|
e4cbec |
|
|
|
e4cbec |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667
|
|
|
e4cbec |
|
|
|
e4cbec |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
|
|
e4cbec |
---
|
|
|
e4cbec |
virtinst/cpu.py | 16 +++++++---------
|
|
|
e4cbec |
1 file changed, 7 insertions(+), 9 deletions(-)
|
|
|
e4cbec |
|
|
|
e4cbec |
diff --git a/virtinst/cpu.py b/virtinst/cpu.py
|
|
|
e4cbec |
index c76f06e8..ebe34449 100644
|
|
|
e4cbec |
--- a/virtinst/cpu.py
|
|
|
e4cbec |
+++ b/virtinst/cpu.py
|
|
|
e4cbec |
@@ -157,15 +157,13 @@ class CPU(XMLBuilder):
|
|
|
e4cbec |
self.secure = False
|
|
|
e4cbec |
return
|
|
|
e4cbec |
|
|
|
e4cbec |
- for feature in features:
|
|
|
e4cbec |
- exists = False
|
|
|
e4cbec |
- for f in self.features:
|
|
|
e4cbec |
- if f.name == feature and f.policy == "require":
|
|
|
e4cbec |
- exists = True
|
|
|
e4cbec |
- break
|
|
|
e4cbec |
- if not exists:
|
|
|
e4cbec |
- self.secure = False
|
|
|
e4cbec |
- return
|
|
|
e4cbec |
+ guestFeatures = [f.name for f in self.features if f.policy == "require"]
|
|
|
e4cbec |
+ if self.model.endswith("IBRS"):
|
|
|
e4cbec |
+ guestFeatures.append("spec-ctrl")
|
|
|
e4cbec |
+ if self.model.endswith("IBPB"):
|
|
|
e4cbec |
+ guestFeatures.append("ibpb")
|
|
|
e4cbec |
+
|
|
|
e4cbec |
+ self.secure = set(features) <= set(guestFeatures)
|
|
|
e4cbec |
|
|
|
e4cbec |
def _remove_security_features(self, guest):
|
|
|
e4cbec |
domcaps = guest.lookup_domcaps()
|
|
|
e4cbec |
--
|
|
|
e4cbec |
2.20.1
|
|
|
e4cbec |
|