[virt-tools-list] [virt-manager PATCH] DomainCpu: fix detection of CPU security features
Pavel Hrdina
phrdina at redhat.com
Tue Apr 9 11:31:07 UTC 2019
VM configured with mode="host-model" will have the CPU definition
expanded once the VM is started. Libvirt will try to use the closest
CPU model with some features enabled/disabled.
The issue is that there are some models that include spec-ctrl or ibpb
features and they will not appear in the explicit list of features and
virt-manager will not correctly detect if all security features are
enabled or not. As a workaround we can check the suffix of CPU model to
figure out which security features are enabled by the model itself.
Signed-off-by: Pavel Hrdina <phrdina at redhat.com>
---
Pushed
virtinst/domain/cpu.py | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
index 45fdbd3a..fa2df6de 100644
--- a/virtinst/domain/cpu.py
+++ b/virtinst/domain/cpu.py
@@ -134,15 +134,13 @@ class DomainCpu(XMLBuilder):
self.secure = False
return
- for feature in features:
- exists = False
- for f in self.features:
- if f.name == feature and f.policy == "require":
- exists = True
- break
- if not exists:
- self.secure = False
- return
+ guestFeatures = [f.name for f in self.features if f.policy == "require"]
+ if self.model.endswith("IBRS"):
+ guestFeatures.append("spec-ctrl")
+ if self.model.endswith("IBPB"):
+ guestFeatures.append("ibpb")
+
+ self.secure = set(features) <= set(guestFeatures)
def _remove_security_features(self, guest):
domcaps = guest.lookup_domcaps()
--
2.20.1
More information about the virt-tools-list
mailing list