Re: [virt-manager PATCH 1/5] domcapabilities: remove recommended CPU features from security features

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Apr 04, 2019 at 10:10:44AM +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2019 at 03:52:47PM +0200, Pavel Hrdina wrote:
> > These features are only recommended to be enabled since they improve
> > performance of the VMs if security features are enabled.
> > 
> > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
> > ---
> >  tests/cli-test-xml/compare/virt-install-qemu-plain.xml      | 2 --
> >  .../compare/virt-install-singleton-config-2.xml             | 4 ----
> >  virtinst/domcapabilities.py                                 | 6 +-----
> >  3 files changed, 1 insertion(+), 11 deletions(-)
> 
> > diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
> > index d1b0f4ed..72844512 100644
> > --- a/virtinst/domcapabilities.py
> > +++ b/virtinst/domcapabilities.py
> > @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder):
> >  
> >      def get_cpu_security_features(self):
> >          sec_features = [
> > -                'pcid',
> >                  'spec-ctrl',
> >                  'ssbd',
> > -                'pdpe1gb',
> >                  'ibpb',
> > -                'virt-ssbd',
> > -                'amd-ssbd',
> > -                'amd-no-ssb']
> > +                'virt-ssbd']
> 
> This all makes sense - rationale for each removed one is:
> 
> pcid is a very useful perf feature, but missing in some silicon
> so not portable.
> 
> pdpe1gb lets the guest use 1 GB pages which is good for perf
> but again not all silicon can do it
> 
> amd-ssbd is a security feature which fixes the same SSBD flaws as the
> virt-ssbd feature does. virt-ssbd is usable across all CPU models
> affected by SSBD, while amd-ssbd is only available in very new silicon.
> So virt-ssbd is the bette rchoice.
> 
> amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
> critical to expose. I expect a future named CPU model will include that
> where appropriate.
> 
> Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>

Thanks, I'll add the rationale into the commit message.

Pavel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list

[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux