[pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Aug 28 11:25:12 CEST 2018
- Previous message (by thread): [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
- Next message (by thread): [pve-devel] applied: [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
On 8/28/18 10:53 AM, Stefan Priebe - Profihost AG wrote:
>
> Am 28.08.2018 um 10:47 schrieb Thomas Lamprecht:
>> On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote:
>>> I'm using them as a default since 2 weeks. No problems so far.
>>>
>>
>> for the backend this is probably OK.
>>
>> The GUI part isn't as easy to make sane.
>>
>> So there's all those flags, you have *no* guarantee to have any of them
>> (even if virt-ssbd sounds like it)
>> Intel gets ssbd or not, depending on microcode version (or future
>> CPU models)
>> AMD can have virt-ssbd, and additionally amd-ssbd (the later implies
>> the former, but not vice versa).
>>
>> The pdpe1gb flag is something completely different and not really security
>> related, so I'd add it in another commit..
>>
>> Problem is with migration, even in a HW homogeneous environment (all CPUs
>> are the same model/revision) a microcode version difference can make it fail.
>>
>> Migration from Intel to AMD or the other way is not possible, but this is
>> the same with the already existing spec-ctrl, AFAIS.
>>
>> So better to make a single SSBD flag in the GUI and map it to whatever we
>> have available at start in the host CPU or make a CPU Flag selector exposing
>> all those options?
>
> I've handled it differently and made a datacenter option on my own out
> of them. So i can set default cpu flags for each proxmox datacenter.
> They're added to the customer ones. Not sure if this is something to
> work for PVE in general.
>
Would work work for datacenters with same hardware, else we now have
also a node config which could be used too.
But it'd probably always good to let this get overwritten on a per-vm
basis.
anyway, I'll apply Alexandre's patch for the backend now, so people
can use it without to much hassle, the UI can be planned independent
from this.
>
>>
>>>
>>> Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER:
>>>> any comments to add theses cpu flags ?
>>>>
>>>>
>>>> ----- Mail original -----
>>>> De: "aderumier" <aderumier at odiso.com>
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>>>> Envoyé: Lundi 20 Août 2018 18:26:50
>>>> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
>>>>
>>>> Sorry, it's for qemu-server package.
>>>>
>>>> I'll rework the pve-docs tomorrow, with amd && intel flags
>>>>
>>>>
>>>> ----- Mail original -----
>>>> De: "Alexandre Derumier" <aderumier at odiso.com>
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>>>> Cc: "Alexandre Derumier" <aderumier at odiso.com>
>>>> Envoyé: Lundi 20 Août 2018 17:53:18
>>>> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb cpu flags
>>>>
>>>> see: https://www.berrange.com/tags/ssbd/
>>>> ---
>>>> PVE/QemuServer.pm | 4 ++--
>>>> 1 file changed, 2 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
>>>> index 1c0fba2..015f8f7 100644
>>>> --- a/PVE/QemuServer.pm
>>>> +++ b/PVE/QemuServer.pm
>>>> @@ -155,7 +155,7 @@ my $cpu_vendor_list = {
>>>> max => 'default',
>>>> };
>>>>
>>>> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/;
>>>> +my $cpu_flag = qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/;
>>>>
>>>> my $cpu_fmt = {
>>>> cputype => {
>>>> @@ -174,7 +174,7 @@ my $cpu_fmt = {
>>>> flags => {
>>>> description => "List of additional CPU flags separated by ';'."
>>>> . " Use '+FLAG' to enable, '-FLAG' to disable a flag."
>>>> - . " Currently supported flags: 'pcid', 'spec-ctrl'.",
>>>> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.",
>>>> format_description => '+FLAG[;-FLAG...]',
>>>> type => 'string',
>>>> pattern => qr/$cpu_flag(;$cpu_flag)*/,
>>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>
>>
>>
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>
- Previous message (by thread): [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
- Next message (by thread): [pve-devel] applied: [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the pve-devel
mailing list