[PVE-User] Meltdown/Spectre mitigation options / Intel microcode
Alexandre DERUMIER
aderumier at odiso.com
Tue May 8 18:24:19 CEST 2018
note that your only need SPEC-CTRL and last microcode, if your vms are windows, or linux with a kernel without retpoline mitigation
PCID is only to improve performance (and you need to recent kernel (>4.13 I think), in your vm, because it was not use before)
setting vcpu other than kvm64, improve performance too because of INVPCID support (>= Haswell)
Personnaly, I have upgraded all my debian to 4.15 kernel with retpoline + PCID + vcpu model set to my lowest intel model of my cluster. (xeon v3)
and my windows vm with SPEC-CTRL option + microcode on proxmox host
you can use this script
https://github.com/speed47/spectre-meltdown-checker
to check if your vm is protected or not. (with -v verbose to see PCID/INVPCID support)
----- Mail original -----
De: "uwe sauter de" <uwe.sauter.de at gmail.com>
À: "proxmoxve" <pve-user at pve.proxmox.com>
Envoyé: Mardi 8 Mai 2018 15:31:52
Objet: [PVE-User] Meltdown/Spectre mitigation options / Intel microcode
Hi all,
I recently discovered that one of the updates since turn of the year introduced options to let the VM know about Meltdown/Spectre
mitigation on the host (VM configuration -> processors -> advanced -> PCID & SPEC-CTRL).
I'm not sure if I understand the documentation correctly so please correct me if I'm wrong with the following:
I have two different CPU types in my cluster, Intel Xeon E5606 and Intel Xeon E5-2670. Both do not have the latest microcode
because I don't have stretch-backports enabled (which provides microcode from 20180312 in contrast to stretch's version from
20170707).
Both have the "pcid" CPU flag, as well as "pti" and "retpoline" (whiche are not mentioned in the docs and probably show kernel
features and not CPU features). Both *do not* have "spec_ctrl".
All my VMs are configured to use "default (kvm64)" CPUs.
This means that I should manually enable the PCID flag as the kvm64 CPU doesn't set this automatically. But I mustn't enable
SPEC-CTRL because my host hardware doesn't support the feature. Is this correct?
Regards,
Uwe
_______________________________________________
pve-user mailing list
pve-user at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
More information about the pve-user
mailing list