[pve-devel] missing cpu flags? (CVE-2018-3639)
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Mon Aug 20 20:48:13 CEST 2018
Am 20.08.2018 um 17:19 schrieb Alexandre DERUMIER:
> Hi Stefan,
>
> thanks for the infos!
>
>
>>> At least ssbd is important for guest to mitigate CVE-2018-3639.
>
> This need qemu 3.0 :/
>
> https://wiki.qemu.org/ChangeLog/3.0
>
> "The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)"
You already answered yourself ;-) it's working fine with 2.11.2. I'm
already using it since a few days.
>>> It also seems to make sense to enable pdpe1gb
>
> is it related to a vulnerability ?
No.
> it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside.
> I think pdpe1gb expose hugepage inside the guest, right ?
Yes.
Stefan
>
> ----- Mail original -----
> De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
> À: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Vendredi 17 Août 2018 13:30:10
> Objet: [pve-devel] missing cpu flags? (CVE-2018-3639)
>
> Hello,
>
> after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/
>
> It seems pve misses at least the following cpu flag:
> ssbd
>
> It also seems to make sense to enable pdpe1gb
>
> At least ssbd is important for guest to mitigate CVE-2018-3639.
>
> Greets,
> Stefan
>
> Excuse my typo sent from my mobile phone.
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
More information about the pve-devel
mailing list