Am 28.08.2018 um 10:47 schrieb Thomas Lamprecht: > On 8/27/18 7:50 PM, Stefan Priebe - Profihost AG wrote: >> I'm using them as a default since 2 weeks. No problems so far. >> > > for the backend this is probably OK. > > The GUI part isn't as easy to make sane. > > So there's all those flags, you have *no* guarantee to have any of them > (even if virt-ssbd sounds like it) > Intel gets ssbd or not, depending on microcode version (or future > CPU models) > AMD can have virt-ssbd, and additionally amd-ssbd (the later implies > the former, but not vice versa). > > The pdpe1gb flag is something completely different and not really security > related, so I'd add it in another commit.. > > Problem is with migration, even in a HW homogeneous environment (all CPUs > are the same model/revision) a microcode version difference can make it fail. > > Migration from Intel to AMD or the other way is not possible, but this is > the same with the already existing spec-ctrl, AFAIS. > > So better to make a single SSBD flag in the GUI and map it to whatever we > have available at start in the host CPU or make a CPU Flag selector exposing > all those options?
I've handled it differently and made a datacenter option on my own out of them. So i can set default cpu flags for each proxmox datacenter. They're added to the customer ones. Not sure if this is something to work for PVE in general. Greets. Stefan > >> >> Am 27.08.2018 um 18:01 schrieb Alexandre DERUMIER: >>> any comments to add theses cpu flags ? >>> >>> >>> ----- Mail original ----- >>> De: "aderumier" <aderum...@odiso.com> >>> À: "pve-devel" <pve-devel@pve.proxmox.com> >>> Envoyé: Lundi 20 Août 2018 18:26:50 >>> Objet: Re: [pve-devel] [PATCH pve-docs] add ibpb, ssbd, virt-ssbd, >>> amd-ssbd, amd-no-ssb, pdpe1gb cpu flags >>> >>> Sorry, it's for qemu-server package. >>> >>> I'll rework the pve-docs tomorrow, with amd && intel flags >>> >>> >>> ----- Mail original ----- >>> De: "Alexandre Derumier" <aderum...@odiso.com> >>> À: "pve-devel" <pve-devel@pve.proxmox.com> >>> Cc: "Alexandre Derumier" <aderum...@odiso.com> >>> Envoyé: Lundi 20 Août 2018 17:53:18 >>> Objet: [PATCH pve-docs] add ibpb,ssbd,virt-ssbd,amd-ssbd,amd-no-ssb,pdpe1gb >>> cpu flags >>> >>> see: https://www.berrange.com/tags/ssbd/ >>> --- >>> PVE/QemuServer.pm | 4 ++-- >>> 1 file changed, 2 insertions(+), 2 deletions(-) >>> >>> diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm >>> index 1c0fba2..015f8f7 100644 >>> --- a/PVE/QemuServer.pm >>> +++ b/PVE/QemuServer.pm >>> @@ -155,7 +155,7 @@ my $cpu_vendor_list = { >>> max => 'default', >>> }; >>> >>> -my $cpu_flag = qr/[+-](pcid|spec-ctrl)/; >>> +my $cpu_flag = >>> qr/[+-](pcid|spec-ctrl|ibpb|ssbd|virt-ssbd|amd-ssbd|amd-no-ssb|pdpe1gb)/; >>> >>> my $cpu_fmt = { >>> cputype => { >>> @@ -174,7 +174,7 @@ my $cpu_fmt = { >>> flags => { >>> description => "List of additional CPU flags separated by ';'." >>> . " Use '+FLAG' to enable, '-FLAG' to disable a flag." >>> - . " Currently supported flags: 'pcid', 'spec-ctrl'.", >>> + . " Currently supported flags: 'pcid', 'spec-ctrl', 'ibpb', 'ssbd', >>> 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb', 'pdpe1gb'.", >>> format_description => '+FLAG[;-FLAG...]', >>> type => 'string', >>> pattern => qr/$cpu_flag(;$cpu_flag)*/, >>> >> _______________________________________________ >> pve-devel mailing list >> pve-devel@pve.proxmox.com >> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel >> > > > > _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel