[pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Tue Aug 28 10:53:34 CEST 2018


Am 28.08.2018 um 10:47 schrieb Thomas Lamprecht:
> On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote:
>> I'm using them as a default since 2 weeks. No problems so far.
>>
> 
> for the backend this is probably OK.
> 
> The GUI part isn't as easy to make sane.
> 
> So there's all those flags, you have *no* guarantee to have any of them
> (even if virt-ssbd sounds like it)
> Intel gets ssbd or not, depending on microcode version (or future
> CPU models)
> AMD can have virt-ssbd, and additionally amd-ssbd (the later implies
> the former, but not vice versa).
> 
> The pdpe1gb flag is something completely different and not really security
> related, so I'd add it in another commit.. 
> 
> Problem is with migration, even in a HW homogeneous environment (all CPUs
> are the same model/revision) a microcode version difference can make it fail.
> 
> Migration from Intel to AMD or the other way is not possible, but this is
> the same with the already existing spec-ctrl, AFAIS.
> 
> So better to make a single SSBD flag in the GUI and map it to whatever we
> have available at start in the host CPU or make a CPU Flag selector exposing
> all those options?

I've handled it differently and made a datacenter option on my own out
of them. So i can set default cpu flags for each proxmox datacenter.
They're added to the customer ones. Not sure if this is something to
work for PVE in general.

Greets.
Stefan

> 
>>
>> Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER:
>>> any comments to add theses cpu flags ?
>>>
>>>
>>> ----- Mail original -----
>>> De: "aderumier" <aderumier at odiso.com>
>>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>>> Envoyé: Lundi 20 Août 2018 18:26:50
>>> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
>>>
>>> Sorry, it's for qemu-server package. 
>>>
>>> I'll rework the pve-docs tomorrow, with amd && intel flags 
>>>
>>>
>>> ----- Mail original ----- 
>>> De: "Alexandre Derumier" <aderumier at odiso.com> 
>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>> Cc: "Alexandre Derumier" <aderumier at odiso.com> 
>>> Envoyé: Lundi 20 Août 2018 17:53:18 
>>> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb cpu flags 
>>>
>>> see: https://www.berrange.com/tags/ssbd/ 
>>> --- 
>>> PVE/QemuServer.pm | 4 ++-- 
>>> 1 file changed, 2 insertions(+), 2 deletions(-) 
>>>
>>> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm 
>>> index 1c0fba2..015f8f7 100644 
>>> --- a/PVE/QemuServer.pm 
>>> +++ b/PVE/QemuServer.pm 
>>> @@ -155,7 +155,7 @@ my $cpu_vendor_list = { 
>>> max => 'default', 
>>> }; 
>>>
>>> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/; 
>>> +my $cpu_flag = qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/; 
>>>
>>> my $cpu_fmt = { 
>>> cputype => { 
>>> @@ -174,7 +174,7 @@ my $cpu_fmt = { 
>>> flags => { 
>>> description => "List of additional CPU flags separated by ';'." 
>>> . " Use '+FLAG' to enable, '-FLAG' to disable a flag." 
>>> - . " Currently supported flags: 'pcid', 'spec-ctrl'.", 
>>> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.", 
>>> format_description => '+FLAG[;-FLAG...]', 
>>> type => 'string', 
>>> pattern => qr/$cpu_flag(;$cpu_flag)*/, 
>>>
>> _______________________________________________
>> pve-devel mailing list
>> pve-devel at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>
> 
> 
> 
> 



More information about the pve-devel mailing list