Re: [virt-manager PATCH 3/5] cli: introduce CPU secure parameter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Apr 04, 2019 at 10:14:21AM +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote:
> > This will allow users to override the default behavior of virt-install
> > which copies CPU security features available on the host to the guest
> > XML if specific CPU model is configured.
> > 
> > Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
> > ---
> >  man/virt-install.pod                          |  8 +-
> >  .../compare/virt-install-cpu-disable-sec.xml  | 93 +++++++++++++++++++
> >  tests/clitest.py                              |  1 +
> >  virtinst/cli.py                               |  1 +
> >  virtinst/domain/cpu.py                        |  7 +-
> >  5 files changed, 108 insertions(+), 2 deletions(-)
> >  create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
> > 
> > diff --git a/man/virt-install.pod b/man/virt-install.pod
> > index 8407e795..18d44808 100644
> > --- a/man/virt-install.pod
> > +++ b/man/virt-install.pod
> > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as known to libvirt.
> >  
> >  Libvirt's feature policy values force, require, optional, disable, or forbid,
> >  or with the shorthand '+feature' and '-feature', which equal 'force=feature'
> > -and 'disable=feature' respectively
> > +and 'disable=feature' respectively.
> > +
> > +If exact CPU model is specified virt-install will automatically copy CPU
> > +security features available on the host to mitigate recent CPU CVEs.
> 
> I'd tweak it slightly to
> 
> s/security features/features/
> 
> s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./
> 
> > +This however will have some impact on performance and will break migration
> > +to hosts without security patches.  In order to turn off this default behavior
> > +there is a B<secure> parameter.  Possible values are I<on> and I<off>.
> 
> At the end, add
> 
>  , with I<on> as the default. It is highly recommended to leave this
>  enabled and ensure all virtualization hosts have fully up to date
>  microcode, kernel & virtualization software installed.

Thanks, I'll tweak it before pushing.

Pavel

Attachment: signature.asc
Description: PGP signature

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux