On Thu, Apr 04, 2019 at 10:10:44AM +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2019 at 03:52:47PM +0200, Pavel Hrdina wrote: > > These features are only recommended to be enabled since they improve > > performance of the VMs if security features are enabled. > > > > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> > > --- > > tests/cli-test-xml/compare/virt-install-qemu-plain.xml | 2 -- > > .../compare/virt-install-singleton-config-2.xml | 4 ---- > > virtinst/domcapabilities.py | 6 +----- > > 3 files changed, 1 insertion(+), 11 deletions(-) > > > diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py > > index d1b0f4ed..72844512 100644 > > --- a/virtinst/domcapabilities.py > > +++ b/virtinst/domcapabilities.py > > @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder): > > > > def get_cpu_security_features(self): > > sec_features = [ > > - 'pcid', > > 'spec-ctrl', > > 'ssbd', > > - 'pdpe1gb', > > 'ibpb', > > - 'virt-ssbd', > > - 'amd-ssbd', > > - 'amd-no-ssb'] > > + 'virt-ssbd'] > > This all makes sense - rationale for each removed one is: > > pcid is a very useful perf feature, but missing in some silicon > so not portable. > > pdpe1gb lets the guest use 1 GB pages which is good for perf > but again not all silicon can do it > > amd-ssbd is a security feature which fixes the same SSBD flaws as the > virt-ssbd feature does. virt-ssbd is usable across all CPU models > affected by SSBD, while amd-ssbd is only available in very new silicon. > So virt-ssbd is the bette rchoice. > > amd-no-ssb just indicates that the CPU is not affected by SSBD, so not > critical to expose. I expect a future named CPU model will include that > where appropriate. > > Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> Thanks, I'll add the rationale into the commit message. Pavel
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ virt-tools-list mailing list virt-tools-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/virt-tools-list
