|
|
e4cbec |
From d8ce37f73ec77e5365cfa132ac78b470c1410222 Mon Sep 17 00:00:00 2001
|
|
|
e4cbec |
Message-Id: <d8ce37f73ec77e5365cfa132ac78b470c1410222@dist-git>
|
|
|
e4cbec |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
Date: Tue, 14 May 2019 19:59:49 +0200
|
|
|
e4cbec |
Subject: [PATCH] domcapabilities: detect MDS new vulnerability
|
|
|
e4cbec |
MIME-Version: 1.0
|
|
|
e4cbec |
Content-Type: text/plain; charset=UTF-8
|
|
|
e4cbec |
Content-Transfer-Encoding: 8bit
|
|
|
e4cbec |
|
|
|
e4cbec |
There is a new security feature 'md-clear' that mitigates recent CPU
|
|
|
e4cbec |
Microarchitectural Store Buffer Data vulnerability.
|
|
|
e4cbec |
|
|
|
e4cbec |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
(cherry picked from commit c11d6ba4d7024eaac83b6e2d6ae88172f4c01e98)
|
|
|
e4cbec |
|
|
|
e4cbec |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667
|
|
|
e4cbec |
|
|
|
e4cbec |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
e4cbec |
Acked-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
e4cbec |
---
|
|
|
e4cbec |
man/virt-install.pod | 13 +++++++------
|
|
|
e4cbec |
virtinst/domcapabilities.py | 3 ++-
|
|
|
e4cbec |
2 files changed, 9 insertions(+), 7 deletions(-)
|
|
|
e4cbec |
|
|
|
e4cbec |
diff --git a/man/virt-install.pod b/man/virt-install.pod
|
|
|
e4cbec |
index d90c2b8e..3bcb32f2 100644
|
|
|
e4cbec |
--- a/man/virt-install.pod
|
|
|
e4cbec |
+++ b/man/virt-install.pod
|
|
|
e4cbec |
@@ -219,12 +219,13 @@ and 'disable=feature' respectively.
|
|
|
e4cbec |
|
|
|
e4cbec |
If exact CPU model is specified virt-install will automatically copy CPU
|
|
|
e4cbec |
features available on the host to mitigate recent CPU speculative execution
|
|
|
e4cbec |
-side channel security vulnerabilities. This however will have some impact
|
|
|
e4cbec |
-on performance and will break migration to hosts without security patches.
|
|
|
e4cbec |
-In order to control this behavior there is a B<secure> parameter. Possible
|
|
|
e4cbec |
-values are I<on> and I<off>, with I<on> as the default. It is highly
|
|
|
e4cbec |
-recommended to leave this enabled and ensure all virtualization hosts have
|
|
|
e4cbec |
-fully up to date microcode, kernel & virtualization software installed.
|
|
|
e4cbec |
+side channel and Microarchitectural Store Buffer Data security vulnerabilities.
|
|
|
e4cbec |
+This however will have some impact on performance and will break migration
|
|
|
e4cbec |
+to hosts without security patches. In order to control this behavior there
|
|
|
e4cbec |
+is a B<secure> parameter. Possible values are I<on> and I<off>, with I<on>
|
|
|
e4cbec |
+as the default. It is highly recommended to leave this enabled and ensure all
|
|
|
e4cbec |
+virtualization hosts have fully up to date microcode, kernel & virtualization
|
|
|
e4cbec |
+software installed.
|
|
|
e4cbec |
|
|
|
e4cbec |
Some examples:
|
|
|
e4cbec |
|
|
|
e4cbec |
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
|
|
e4cbec |
index ba774532..5695453f 100644
|
|
|
e4cbec |
--- a/virtinst/domcapabilities.py
|
|
|
e4cbec |
+++ b/virtinst/domcapabilities.py
|
|
|
e4cbec |
@@ -245,7 +245,8 @@ class DomainCapabilities(XMLBuilder):
|
|
|
e4cbec |
'spec-ctrl',
|
|
|
e4cbec |
'ssbd',
|
|
|
e4cbec |
'ibpb',
|
|
|
e4cbec |
- 'virt-ssbd']
|
|
|
e4cbec |
+ 'virt-ssbd',
|
|
|
e4cbec |
+ 'md-clear']
|
|
|
e4cbec |
|
|
|
e4cbec |
if self._features:
|
|
|
e4cbec |
return self._features
|
|
|
e4cbec |
--
|
|
|
e4cbec |
2.21.0
|
|
|
e4cbec |
|