On 13/11/19 14:00, Jinpu Wang wrote: > Hi Paolo, hi list, > > Thanks for info, do we need qemu patch for full mitigation? > Debian mentioned: > https://linuxsecurity.com/advisories/debian/debian-dsa-4566-1-qemu-security-update-17-10-10 > " > A qemu update adding support for the PSCHANGE_MC_NO feature, which > allows to disable iTLB Multihit mitigations in nested hypervisors > will be provided via DSA 4566-1. > > " > But It's not yet available publicly. I will send it today, but it's not needed for full mitigation. It just provides a knob to turn it on and off in nested hypervisors. > About the performance hit, do you know any number? probably the answer > is workload dependent. We generally measured 0-4%. There can be latency spikes for RT, which I will send a patch for soon. Paolo
