[pve-devel] [PATCH pve-qemu/qemu-server 0/2] intel MDS CVE fixes

Oguz Bektas o.bektas at proxmox.com
Wed Jun 5 14:00:33 CEST 2019


hi

On Wed, Jun 05, 2019 at 12:47:22PM +0200, Thomas Lamprecht wrote:
> On 6/5/19 12:47 PM, Oguz Bektas wrote:
> > On Mon, Jun 03, 2019 at 05:12:48PM +0200, Thomas Lamprecht wrote:
> >> On 6/3/19 3:17 PM, Oguz Bektas wrote:
> >>
> >> looks OK, in general, did you also test live migration? I.e., from node with
> >> current qemu/qemu-server installed to a node with your patches applied?
> > i didn't test live migration, i'll try it out and update today.
> >> vice versa would be interesting too but not too important (we must guarantee
> >> old -> new migration compatibility, and while we try to not actively break new
> >> ->  old, sometimes this just cannot be avoided (same policy as QEMU upstream
> >> has)).
> > agreed. i'm on it.
> > 
> 
> Perfect, I'll wait with applying until you report back, thanks!

i've tried live migration both ways (updated -> old & old -> updated)

the migrations work, but the mitigation disappears along with the config
line for the md-clear flag.

from new to old: config file gets parsed with the old version of
qemu-server hence we don't get the cpu line with md-clear flag in the
new config. the mitigation seems to work until you shutdown or reboot
the vm, but once you do that it's gone.

from old to new: same thing basically, but we can't have the md-clear
flag enabled with the old qemu-server (*) and it doesnt get automagically
added when we migrate to the new version, must edit config manually.

(*): unless we do a pending change on the config file and then live
migrate.




More information about the pve-devel mailing list