[pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Aug 28 11:25:12 CEST 2018


On 8/28/18 10:53 AM, Stefan Priebe - Profihost AG wrote:
> 
> Am 28.08.2018 um 10:47 schrieb Thomas Lamprecht:
>> On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote:
>>> I'm using them as a default since 2 weeks. No problems so far.
>>>
>>
>> for the backend this is probably OK.
>>
>> The GUI part isn't as easy to make sane.
>>
>> So there's all those flags, you have *no* guarantee to have any of them
>> (even if virt-ssbd sounds like it)
>> Intel gets ssbd or not, depending on microcode version (or future
>> CPU models)
>> AMD can have virt-ssbd, and additionally amd-ssbd (the later implies
>> the former, but not vice versa).
>>
>> The pdpe1gb flag is something completely different and not really security
>> related, so I'd add it in another commit.. 
>>
>> Problem is with migration, even in a HW homogeneous environment (all CPUs
>> are the same model/revision) a microcode version difference can make it fail.
>>
>> Migration from Intel to AMD or the other way is not possible, but this is
>> the same with the already existing spec-ctrl, AFAIS.
>>
>> So better to make a single SSBD flag in the GUI and map it to whatever we
>> have available at start in the host CPU or make a CPU Flag selector exposing
>> all those options?
> 
> I've handled it differently and made a datacenter option on my own out
> of them. So i can set default cpu flags for each proxmox datacenter.
> They're added to the customer ones. Not sure if this is something to
> work for PVE in general.
> 

Would work work for datacenters with same hardware, else we now have
also a node config which could be used too.

But it'd probably always good to let this get overwritten on a per-vm
basis.

anyway, I'll apply Alexandre's patch for the backend now, so people
can use it without to much hassle, the UI can be planned independent
from this.

> 
>>
>>>
>>> Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER:
>>>> any comments to add theses cpu flags ?
>>>>
>>>>
>>>> ----- Mail original -----
>>>> De: "aderumier" <aderumier at odiso.com>
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com>
>>>> Envoyé: Lundi 20 Août 2018 18:26:50
>>>> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, amd-no-ssb, pdpe1gb cpu flags
>>>>
>>>> Sorry, it's for qemu-server package. 
>>>>
>>>> I'll rework the pve-docs tomorrow, with amd && intel flags 
>>>>
>>>>
>>>> ----- Mail original ----- 
>>>> De: "Alexandre Derumier" <aderumier at odiso.com> 
>>>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>>>> Cc: "Alexandre Derumier" <aderumier at odiso.com> 
>>>> Envoyé: Lundi 20 Août 2018 17:53:18 
>>>> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb cpu flags 
>>>>
>>>> see: https://www.berrange.com/tags/ssbd/ 
>>>> --- 
>>>> PVE/QemuServer.pm | 4 ++-- 
>>>> 1 file changed, 2 insertions(+), 2 deletions(-) 
>>>>
>>>> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm 
>>>> index 1c0fba2..015f8f7 100644 
>>>> --- a/PVE/QemuServer.pm 
>>>> +++ b/PVE/QemuServer.pm 
>>>> @@ -155,7 +155,7 @@ my $cpu_vendor_list = { 
>>>> max => 'default', 
>>>> }; 
>>>>
>>>> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/; 
>>>> +my $cpu_flag = qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/; 
>>>>
>>>> my $cpu_fmt = { 
>>>> cputype => { 
>>>> @@ -174,7 +174,7 @@ my $cpu_fmt = { 
>>>> flags => { 
>>>> description => "List of additional CPU flags separated by ';'." 
>>>> . " Use '+FLAG' to enable, '-FLAG' to disable a flag." 
>>>> - . " Currently supported flags: 'pcid', 'spec-ctrl'.", 
>>>> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.", 
>>>> format_description => '+FLAG[;-FLAG...]', 
>>>> type => 'string', 
>>>> pattern => qr/$cpu_flag(;$cpu_flag)*/, 
>>>>
>>> _______________________________________________
>>> pve-devel mailing list
>>> pve-devel at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
>>>
>>
>>
>>
>>
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 






More information about the pve-devel mailing list