[virt-tools-list] [virt-manager PATCH 1/5] domcapabilities: remove recommended CPU features from security features

Pavel Hrdina phrdina at redhat.com
Thu Apr 4 09:26:31 UTC 2019 

On Thu, Apr 04, 2019 at 10:10:44AM +0100, Daniel P. Berrangé wrote:
> On Wed, Apr 03, 2019 at 03:52:47PM +0200, Pavel Hrdina wrote:
> > These features are only recommended to be enabled since they improve
> > performance of the VMs if security features are enabled.
> > 
> > Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
> > ---
> >  tests/cli-test-xml/compare/virt-install-qemu-plain.xml      | 2 --
> >  .../compare/virt-install-singleton-config-2.xml             | 4 ----
> >  virtinst/domcapabilities.py                                 | 6 +-----
> >  3 files changed, 1 insertion(+), 11 deletions(-)
> 
> > diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
> > index d1b0f4ed..72844512 100644
> > --- a/virtinst/domcapabilities.py
> > +++ b/virtinst/domcapabilities.py
> > @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder):
> >  
> >      def get_cpu_security_features(self):
> >          sec_features = [
> > -                'pcid',
> >                  'spec-ctrl',
> >                  'ssbd',
> > -                'pdpe1gb',
> >                  'ibpb',
> > -                'virt-ssbd',
> > -                'amd-ssbd',
> > -                'amd-no-ssb']
> > +                'virt-ssbd']
> 
> This all makes sense - rationale for each removed one is:
> 
> pcid is a very useful perf feature, but missing in some silicon
> so not portable.
> 
> pdpe1gb lets the guest use 1 GB pages which is good for perf
> but again not all silicon can do it
> 
> amd-ssbd is a security feature which fixes the same SSBD flaws as the
> virt-ssbd feature does. virt-ssbd is usable across all CPU models
> affected by SSBD, while amd-ssbd is only available in very new silicon.
> So virt-ssbd is the bette rchoice.
> 
> amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
> critical to expose. I expect a future named CPU model will include that
> where appropriate.
> 
> Reviewed-by: Daniel P. Berrangé <berrange at redhat.com>

Thanks, I'll add the rationale into the commit message.

Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/virt-tools-list/attachments/20190404/ff95d8ed/attachment.sig>

More information about the virt-tools-list mailing list