On Fri, Jun 29, 2018 at 11:19:17AM +0100, Daniel P. Berrangé wrote: > On Fri, Jun 29, 2018 at 09:53:53AM +0100, Dr. David Alan Gilbert wrote: [...] > > We're going to have to say something like: > > 'For the new XYZ vulnerability make sure you're using > > Haswell-3.2 or later, SkyLake-2.6 or later, Westmere-4.8 or later > > .....' > > > > which all gets a bit confusing. > > The kernel has a /sys/devices/system/cpu/vulnerabilities dir > that lists status of various flaws. > > I have been thinking about whether libvirt should create a > 'virt-guest-validate' command that looks at guest XML and > reports whether any of the config settings are vulnerable > or otherwise diverging from best practice in some way. > > QEMU itself would perhaps have a 'query-vulnerabilities' > monitor command to report whether the current config is > satisfactory or not. Makes sense to me. I wanted to make QEMU emit warnings on obviously insecure configurations. Adding a query-vulnerabilities command would be the QMP counterpart of that. -- Eduardo -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
