Merge "[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags" into stable/pike
This commit is contained in:
commit
7f5cf84ced
@ -518,7 +518,7 @@ Related options:
|
||||
cfg.ListOpt(
|
||||
'cpu_model_extra_flags',
|
||||
item_type=types.String(
|
||||
choices=['pcid', 'ssbd', 'virt-ssbd'],
|
||||
choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'],
|
||||
ignore_case=True,
|
||||
),
|
||||
default=[],
|
||||
@ -534,11 +534,11 @@ virtual CPU model::
|
||||
cpu_model_extra_flags = pcid
|
||||
|
||||
Currently, the choice is restricted to a few options: ``pcid``,
|
||||
``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
|
||||
``PCID`` is also valid, for example). These flags are now required to
|
||||
address the guest performance degradation as a result of applying the
|
||||
"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
|
||||
``virt-ssbd``) on affected CPU models.
|
||||
``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options
|
||||
are case-insensitive, so ``PCID`` is also valid, for example). These
|
||||
flags are now required to address the guest performance degradation as
|
||||
a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure
|
||||
mitigation (``ssbd`` and related options) on affected CPU models.
|
||||
|
||||
Note that when using this config attribute to set the 'PCID' and
|
||||
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
|
||||
@ -552,13 +552,15 @@ need it:
|
||||
even if the host CPUs by the same name include it. I.e. 'PCID' needs
|
||||
to be explicitly specified when using the said virtual CPU models.
|
||||
|
||||
For more information about ``ssbd`` and ``virt-ssbd`` applicability,
|
||||
For more information about ``ssbd`` and related options,
|
||||
please refer to the following security updates:
|
||||
|
||||
https://www.us-cert.gov/ncas/alerts/TA18-141A
|
||||
|
||||
https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html
|
||||
|
||||
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
|
||||
|
||||
For now, the ``cpu_model_extra_flags`` config attribute is valid only in
|
||||
combination with ``cpu_mode`` + ``cpu_model`` options.
|
||||
|
||||
|
@ -0,0 +1,8 @@
|
||||
---
|
||||
security:
|
||||
- |
|
||||
The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available
|
||||
choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are
|
||||
important for proper mitigation of security issues in AMD CPUs. For more
|
||||
information see
|
||||
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
|
Loading…
Reference in New Issue
Block a user