[pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Aug 28 10:47:12 CEST 2018


On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote:
> I'm using them as a default since 2 weeks. No problems so far.
> 

for the backend this is probably OK.

The GUI part isn't as easy to make sane.

So there's all those flags, you have *no* guarantee to have any of them
(even if virt-ssbd sounds like it)
Intel gets ssbd or not, depending on microcode version (or future
CPU models)
AMD can have virt-ssbd, and additionally amd-ssbd (the later implies
the former, but not vice versa).

The pdpe1gb flag is something completely different and not really security
related, so I'd add it in another commit.. 

Problem is with migration, even in a HW homogeneous environment (all CPUs
are the same model/revision) a microcode version difference can make it fail.

Migration from Intel to AMD or the other way is not possible, but this is
the same with the already existing spec-ctrl, AFAIS.

So better to make a single SSBD flag in the GUI and map it to whatever we
have available at start in the host CPU or make a CPU Flag selector exposing
all those options?

> 
> Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER:
>> any comments to add theses cpu flags ?
>>
>>
>> ----- Mail original -----
>> De: "aderumier" <aderumier at odiso.com>
>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>> Envoyé: Lundi 20 Août 2018 18:26:50
>> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
>>
>> Sorry, it's for qemu-server package. 
>>
>> I'll rework the pve-docs tomorrow, with amd && intel flags 
>>
>>
>> ----- Mail original ----- 
>> De: "Alexandre Derumier" <aderumier at odiso.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Cc: "Alexandre Derumier" <aderumier at odiso.com> 
>> Envoyé: Lundi 20 Août 2018 17:53:18 
>> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb cpu flags 
>>
>> see: https://www.berrange.com/tags/ssbd/ 
>> --- 
>> PVE/QemuServer.pm | 4 ++-- 
>> 1 file changed, 2 insertions(+), 2 deletions(-) 
>>
>> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm 
>> index 1c0fba2..015f8f7 100644 
>> --- a/PVE/QemuServer.pm 
>> +++ b/PVE/QemuServer.pm 
>> @@ -155,7 +155,7 @@ my $cpu_vendor_list = { 
>> max => 'default', 
>> }; 
>>
>> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/; 
>> +my $cpu_flag = qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/; 
>>
>> my $cpu_fmt = { 
>> cputype => { 
>> @@ -174,7 +174,7 @@ my $cpu_fmt = { 
>> flags => { 
>> description => "List of additional CPU flags separated by ';'." 
>> . " Use '+FLAG' to enable, '-FLAG' to disable a flag." 
>> - . " Currently supported flags: 'pcid', 'spec-ctrl'.", 
>> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.", 
>> format_description => '+FLAG[;-FLAG...]', 
>> type => 'string', 
>> pattern => qr/$cpu_flag(;$cpu_flag)*/, 
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 







More information about the pve-devel mailing list