On Wed, Apr 03, 2019 at 03:52:47PM +0200, Pavel Hrdina wrote: > These features are only recommended to be enabled since they improve > performance of the VMs if security features are enabled. > > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> > --- > tests/cli-test-xml/compare/virt-install-qemu-plain.xml | 2 -- > .../compare/virt-install-singleton-config-2.xml | 4 ---- > virtinst/domcapabilities.py | 6 +----- > 3 files changed, 1 insertion(+), 11 deletions(-) > diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py > index d1b0f4ed..72844512 100644 > --- a/virtinst/domcapabilities.py > +++ b/virtinst/domcapabilities.py > @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder): > > def get_cpu_security_features(self): > sec_features = [ > - 'pcid', > 'spec-ctrl', > 'ssbd', > - 'pdpe1gb', > 'ibpb', > - 'virt-ssbd', > - 'amd-ssbd', > - 'amd-no-ssb'] > + 'virt-ssbd'] This all makes sense - rationale for each removed one is: pcid is a very useful perf feature, but missing in some silicon so not portable. pdpe1gb lets the guest use 1 GB pages which is good for perf but again not all silicon can do it amd-ssbd is a security feature which fixes the same SSBD flaws as the virt-ssbd feature does. virt-ssbd is usable across all CPU models affected by SSBD, while amd-ssbd is only available in very new silicon. So virt-ssbd is the bette rchoice. amd-no-ssb just indicates that the CPU is not affected by SSBD, so not critical to expose. I expect a future named CPU model will include that where appropriate. Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| _______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
