[PVE-User] Meltdown/Spectre mitigation options / Intel microcode

Alexandre DERUMIER aderumier at odiso.com
Tue May 8 18:24:19 CEST 2018

note that your only need SPEC-CTRL and last microcode, if your vms are windows, or linux with a kernel without retpoline mitigation

PCID is only to improve performance (and you need to recent kernel (>4.13 I think), in your vm, because it was not use before)
setting vcpu other than kvm64, improve performance too because of INVPCID support (>= Haswell)

Personnaly, I have upgraded all my debian to 4.15 kernel with retpoline + PCID + vcpu model set to my lowest intel model of my cluster. (xeon v3)

and my windows vm with SPEC-CTRL option + microcode  on proxmox host

you can use this script

to check if your vm is protected or not.  (with -v verbose to see PCID/INVPCID support)

----- Mail original -----
De: "uwe sauter de" <uwe.sauter.de at gmail.com>
À: "proxmoxve" <pve-user at pve.proxmox.com>
Envoyé: Mardi 8 Mai 2018 15:31:52
Objet: [PVE-User] Meltdown/Spectre mitigation options / Intel microcode

Hi all, 

I recently discovered that one of the updates since turn of the year introduced options to let the VM know about Meltdown/Spectre 
mitigation on the host (VM configuration -> processors -> advanced -> PCID & SPEC-CTRL). 

I'm not sure if I understand the documentation correctly so please correct me if I'm wrong with the following: 

I have two different CPU types in my cluster, Intel Xeon E5606 and Intel Xeon E5-2670. Both do not have the latest microcode 
because I don't have stretch-backports enabled (which provides microcode from 20180312 in contrast to stretch's version from 

Both have the "pcid" CPU flag, as well as "pti" and "retpoline" (whiche are not mentioned in the docs and probably show kernel 
features and not CPU features). Both *do not* have "spec_ctrl". 

All my VMs are configured to use "default (kvm64)" CPUs. 

This means that I should manually enable the PCID flag as the kvm64 CPU doesn't set this automatically. But I mustn't enable 
SPEC-CTRL because my host hardware doesn't support the feature. Is this correct? 


pve-user mailing list 
pve-user at pve.proxmox.com 

More information about the pve-user mailing list