Browse Source
[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags
Update the whitelist for the latest new CPU flags for mitigation of recent security issues. Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd Closes-Bug: #1777460 (cherry picked from committags/15.1.5f8aca778f7) (cherry picked from commit682ee60803)
Dan Smith
1 year ago
2 changed files with 17 additions and 7 deletions
+ 9
- 7
nova/conf/libvirt.py
View File
| @@ -520,7 +520,7 @@ Related options: | |||
| cfg.ListOpt( | |||
| 'cpu_model_extra_flags', | |||
| item_type=types.String( | |||
| choices=['pcid', 'ssbd', 'virt-ssbd'], | |||
| choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'], | |||
| ignore_case=True, | |||
| ), | |||
| default=[], | |||
| @@ -536,11 +536,11 @@ virtual CPU model:: | |||
| cpu_model_extra_flags = pcid | |||
| Currently, the choice is restricted to a few options: ``pcid``, | |||
| ``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so | |||
| ``PCID`` is also valid, for example). These flags are now required to | |||
| address the guest performance degradation as a result of applying the | |||
| "Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and | |||
| ``virt-ssbd``) on affected CPU models. | |||
| ``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options | |||
| are case-insensitive, so ``PCID`` is also valid, for example). These | |||
| flags are now required to address the guest performance degradation as | |||
| a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure | |||
| mitigation (``ssbd`` and related options) on affected CPU models. | |||
| Note that when using this config attribute to set the 'PCID' and | |||
| related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models | |||
| @@ -554,13 +554,15 @@ need it: | |||
| even if the host CPUs by the same name include it. I.e. 'PCID' needs | |||
| to be explicitly specified when using the said virtual CPU models. | |||
| For more information about ``ssbd`` and ``virt-ssbd`` applicability, | |||
| For more information about ``ssbd`` and related options, | |||
| please refer to the following security updates: | |||
| https://www.us-cert.gov/ncas/alerts/TA18-141A | |||
| https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html | |||
| https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html | |||
| For now, the ``cpu_model_extra_flags`` config attribute is valid only in | |||
| combination with ``cpu_mode`` + ``cpu_model`` options. | |||
+ 8
- 0
releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml
View File
| @@ -0,0 +1,8 @@ | |||
| --- | |||
| security: | |||
| - | | |||
| The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available | |||
| choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are | |||
| important for proper mitigation of security issues in AMD CPUs. For more | |||
| information see | |||
| https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html | |||
Loading…