[virt-tools-list] [virt-manager PATCH 1/5] domcapabilities: remove recommended CPU features from security features

Daniel P. Berrangé berrange at redhat.com
Thu Apr 4 09:10:44 UTC 2019 

On Wed, Apr 03, 2019 at 03:52:47PM +0200, Pavel Hrdina wrote:
> These features are only recommended to be enabled since they improve
> performance of the VMs if security features are enabled.
> 
> Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
> ---
>  tests/cli-test-xml/compare/virt-install-qemu-plain.xml      | 2 --
>  .../compare/virt-install-singleton-config-2.xml             | 4 ----
>  virtinst/domcapabilities.py                                 | 6 +-----
>  3 files changed, 1 insertion(+), 11 deletions(-)

> diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
> index d1b0f4ed..72844512 100644
> --- a/virtinst/domcapabilities.py
> +++ b/virtinst/domcapabilities.py
> @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder):
>  
>      def get_cpu_security_features(self):
>          sec_features = [
> -                'pcid',
>                  'spec-ctrl',
>                  'ssbd',
> -                'pdpe1gb',
>                  'ibpb',
> -                'virt-ssbd',
> -                'amd-ssbd',
> -                'amd-no-ssb']
> +                'virt-ssbd']

This all makes sense - rationale for each removed one is:

pcid is a very useful perf feature, but missing in some silicon
so not portable.

pdpe1gb lets the guest use 1 GB pages which is good for perf
but again not all silicon can do it

amd-ssbd is a security feature which fixes the same SSBD flaws as the
virt-ssbd feature does. virt-ssbd is usable across all CPU models
affected by SSBD, while amd-ssbd is only available in very new silicon.
So virt-ssbd is the bette rchoice.

amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
critical to expose. I expect a future named CPU model will include that
where appropriate.

Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the virt-tools-list mailing list