On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote: > I'm using them as a default since 2 weeks. No problems so far. >
for the backend this is probably OK. The GUI part isn't as easy to make sane. So there's all those flags, you have *no* guarantee to have any of them (even if virt-ssbd sounds like it) Intel gets ssbd or not, depending on microcode version (or future CPU models) AMD can have virt-ssbd, and additionally amd-ssbd (the later implies the former, but not vice versa). The pdpe1gb flag is something completely different and not really security related, so I'd add it in another commit.. Problem is with migration, even in a HW homogeneous environment (all CPUs are the same model/revision) a microcode version difference can make it fail. Migration from Intel to AMD or the other way is not possible, but this is the same with the already existing spec-ctrl, AFAIS. So better to make a single SSBD flag in the GUI and map it to whatever we have available at start in the host CPU or make a CPU Flag selector exposing all those options? > > Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER: >> any comments to add theses cpu flags ? >> >> >> ----- Mail original ----- >> De: "aderumier" <aderum...@odiso.com> >> À: "pve-devel" <pve-devel@pve.proxmox.com> >> Envoyé: Lundi 20 Août 2018 18:26:50 >> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, amd-ssbd, >> amd-no-ssb, pdpe1gb cpu flags >> >> Sorry, it's for qemu-server package. >> >> I'll rework the pve-docs tomorrow, with amd && intel flags >> >> >> ----- Mail original ----- >> De: "Alexandre Derumier" <aderum...@odiso.com> >> À: "pve-devel" <pve-devel@pve.proxmox.com> >> Cc: "Alexandre Derumier" <aderum...@odiso.com> >> Envoyé: Lundi 20 Août 2018 17:53:18 >> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb >> cpu flags >> >> see: https://www.berrange.com/tags/ssbd/ >> --- >> PVE/QemuServer.pm | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm >> index 1c0fba2..015f8f7 100644 >> --- a/PVE/QemuServer.pm >> +++ b/PVE/QemuServer.pm >> @@ -155,7 +155,7 @@ my $cpu_vendor_list = { >> max => 'default', >> }; >> >> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/; >> +my $cpu_flag = >> qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/; >> >> my $cpu_fmt = { >> cputype => { >> @@ -174,7 +174,7 @@ my $cpu_fmt = { >> flags => { >> description => "List of additional CPU flags separated by ';'." >> . " Use '+FLAG' to enable, '-FLAG' to disable a flag." >> - . " Currently supported flags: 'pcid', 'spec-ctrl'.", >> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', >> 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.", >> format_description => '+FLAG[;-FLAG...]', >> type => 'string', >> pattern => qr/$cpu_flag(;$cpu_flag)*/, >> > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
