|
 |
3d61c0 |
From a750b3d4e930a6c02f7fa8433b8fb730c5e075ef Mon Sep 17 00:00:00 2001
|
|
|
3d61c0 |
Message-Id: <a750b3d4e930a6c02f7fa8433b8fb730c5e075ef@dist-git>
|
|
|
3d61c0 |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Date: Fri, 29 Mar 2019 10:22:08 +0100
|
|
|
3d61c0 |
Subject: [PATCH] domcapabilities: remove recommended CPU features from
|
|
|
3d61c0 |
security features
|
|
|
3d61c0 |
MIME-Version: 1.0
|
|
|
3d61c0 |
Content-Type: text/plain; charset=UTF-8
|
|
|
3d61c0 |
Content-Transfer-Encoding: 8bit
|
|
|
3d61c0 |
|
|
|
3d61c0 |
These features are only recommended to be enabled since they improve
|
|
|
3d61c0 |
performance of the VMs if security features are enabled.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
pcid is a very useful perf feature, but missing in some silicon
|
|
|
3d61c0 |
so not portable.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
pdpe1gb lets the guest use 1 GB pages which is good for perf
|
|
|
3d61c0 |
but again not all silicon can do it.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
amd-ssbd is a security feature which fixes the same SSBD flaws as the
|
|
|
3d61c0 |
virt-ssbd feature does. virt-ssbd is usable across all CPU models
|
|
|
3d61c0 |
affected by SSBD, while amd-ssbd is only available in very new silicon.
|
|
|
3d61c0 |
So virt-ssbd is the bette rchoice.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
|
|
|
3d61c0 |
critical to expose. I expect a future named CPU model will include that
|
|
|
3d61c0 |
where appropriate.
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
3d61c0 |
(cherry picked from commit 29f815fbd23082dff79d2d716e32a644b5a15d4a)
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1582667
|
|
|
3d61c0 |
|
|
|
3d61c0 |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
3d61c0 |
Reviewed-by: Cole Robinson <crobinso@redhat.com>
|
|
|
3d61c0 |
---
|
|
|
3d61c0 |
tests/cli-test-xml/compare/virt-install-qemu-plain.xml | 2 --
|
|
|
3d61c0 |
.../compare/virt-install-singleton-config-2.xml | 4 ----
|
|
|
3d61c0 |
virtinst/domcapabilities.py | 6 +-----
|
|
|
3d61c0 |
3 files changed, 1 insertion(+), 11 deletions(-)
|
|
|
3d61c0 |
|
|
|
3d61c0 |
diff --git a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
|
|
3d61c0 |
index 80674eb4..3273e0e4 100644
|
|
|
3d61c0 |
--- a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
|
|
3d61c0 |
+++ b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
|
|
|
3d61c0 |
@@ -15,8 +15,6 @@
|
|
|
3d61c0 |
</features>
|
|
|
3d61c0 |
<cpu mode="custom" match="exact">
|
|
|
3d61c0 |
<model>Penryn</model>
|
|
|
3d61c0 |
- <feature policy="require" name="pcid"/>
|
|
|
3d61c0 |
- <feature policy="require" name="pdpe1gb"/>
|
|
|
3d61c0 |
</cpu>
|
|
|
3d61c0 |
<clock offset="utc">
|
|
|
3d61c0 |
<timer name="rtc" tickpolicy="catchup"/>
|
|
|
3d61c0 |
diff --git a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
|
|
3d61c0 |
index d03ba5c8..16f15894 100644
|
|
|
3d61c0 |
--- a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
|
|
3d61c0 |
+++ b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
|
|
|
3d61c0 |
@@ -83,8 +83,6 @@
|
|
|
3d61c0 |
<model>foobar</model>
|
|
|
3d61c0 |
<vendor>meee</vendor>
|
|
|
3d61c0 |
<topology sockets="2" cores="2" threads="2"/>
|
|
|
3d61c0 |
- <feature policy="require" name="pcid"/>
|
|
|
3d61c0 |
- <feature policy="require" name="pdpe1gb"/>
|
|
|
3d61c0 |
<feature policy="force" name="x2apic"/>
|
|
|
3d61c0 |
<feature policy="force" name="x2apicagain"/>
|
|
|
3d61c0 |
<feature policy="require" name="reqtest"/>
|
|
|
3d61c0 |
@@ -253,8 +251,6 @@
|
|
|
3d61c0 |
<model>foobar</model>
|
|
|
3d61c0 |
<vendor>meee</vendor>
|
|
|
3d61c0 |
<topology sockets="2" cores="2" threads="2"/>
|
|
|
3d61c0 |
- <feature policy="require" name="pcid"/>
|
|
|
3d61c0 |
- <feature policy="require" name="pdpe1gb"/>
|
|
|
3d61c0 |
<feature policy="force" name="x2apic"/>
|
|
|
3d61c0 |
<feature policy="force" name="x2apicagain"/>
|
|
|
3d61c0 |
<feature policy="require" name="reqtest"/>
|
|
|
3d61c0 |
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
|
|
|
3d61c0 |
index 12755940..da12bd58 100644
|
|
|
3d61c0 |
--- a/virtinst/domcapabilities.py
|
|
|
3d61c0 |
+++ b/virtinst/domcapabilities.py
|
|
|
3d61c0 |
@@ -240,14 +240,10 @@ class DomainCapabilities(XMLBuilder):
|
|
|
3d61c0 |
|
|
|
3d61c0 |
def get_cpu_security_features(self):
|
|
|
3d61c0 |
sec_features = [
|
|
|
3d61c0 |
- 'pcid',
|
|
|
3d61c0 |
'spec-ctrl',
|
|
|
3d61c0 |
'ssbd',
|
|
|
3d61c0 |
- 'pdpe1gb',
|
|
|
3d61c0 |
'ibpb',
|
|
|
3d61c0 |
- 'virt-ssbd',
|
|
|
3d61c0 |
- 'amd-ssbd',
|
|
|
3d61c0 |
- 'amd-no-ssb']
|
|
|
3d61c0 |
+ 'virt-ssbd']
|
|
|
3d61c0 |
|
|
|
3d61c0 |
features = []
|
|
|
3d61c0 |
|
|
|
3d61c0 |
--
|
|
|
3d61c0 |
2.20.1
|
|
|
3d61c0 |
|