Browse Source

[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags

Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.

Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
Closes-Bug: #1777460
(cherry picked from commit f8aca778f7)
(cherry picked from commit 682ee60803)
tags/15.1.5
Dan Smith 1 year ago
parent
commit
c85f5e22e1
2 changed files with 17 additions and 7 deletions
  1. +9
    -7
      nova/conf/libvirt.py
  2. +8
    -0
      releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml

+ 9
- 7
nova/conf/libvirt.py View File

@@ -520,7 +520,7 @@ Related options:
cfg.ListOpt(
'cpu_model_extra_flags',
item_type=types.String(
choices=['pcid', 'ssbd', 'virt-ssbd'],
choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'],
ignore_case=True,
),
default=[],
@@ -536,11 +536,11 @@ virtual CPU model::
cpu_model_extra_flags = pcid

Currently, the choice is restricted to a few options: ``pcid``,
``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so
``PCID`` is also valid, for example). These flags are now required to
address the guest performance degradation as a result of applying the
"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and
``virt-ssbd``) on affected CPU models.
``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options
are case-insensitive, so ``PCID`` is also valid, for example). These
flags are now required to address the guest performance degradation as
a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure
mitigation (``ssbd`` and related options) on affected CPU models.

Note that when using this config attribute to set the 'PCID' and
related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models
@@ -554,13 +554,15 @@ need it:
even if the host CPUs by the same name include it. I.e. 'PCID' needs
to be explicitly specified when using the said virtual CPU models.

For more information about ``ssbd`` and ``virt-ssbd`` applicability,
For more information about ``ssbd`` and related options,
please refer to the following security updates:

https://www.us-cert.gov/ncas/alerts/TA18-141A

https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html

https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html

For now, the ``cpu_model_extra_flags`` config attribute is valid only in
combination with ``cpu_mode`` + ``cpu_model`` options.


+ 8
- 0
releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml View File

@@ -0,0 +1,8 @@
---
security:
- |
The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available
choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are
important for proper mitigation of security issues in AMD CPUs. For more
information see
https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html

Loading…
Cancel
Save