On Mon, Jan 07, 2019 at 12:05:35PM +0000, Andre Przywara wrote: > Workarounds for Spectre variant 2 or 4 vulnerabilities require some help > from the firmware, so KVM implements an interface to provide that for > guests. When such a guest is migrated, we want to make sure we don't > loose the protection the guest relies on. > > This introduces two new firmware registers in KVM's GET/SET_ONE_REG > interface, so userland can save the level of protection implemented by > the hypervisor and used by the guest. Upon restoring these registers, > we make sure we don't downgrade and reject any values that would mean > weaker protection. Just trolling here, but could we treat these as immutable, like the ID registers? We don't support migration between nodes that are "too different" in any case, so I wonder if adding complex logic to compare vulnerabilities and workarounds is liable to create more problems than it solves... Do we know of anyone who explicitly needs this flexibility yet? [...] Cheers ---Dave
