> If you disable Spectre protection in the Windows VM, then it is not protected from Spectre. The hypervisor protects itself, and exposes the CPU feature(s) that enable the guest to activate its own protection. The hypervisor won't protect the guest directly - it just gives it the tools needed to protect itself.
Thanks for the indepth explanation. In other words, Spectre protection inside the Windows VM needs to be enabled to work. The only problem is that Windows (or a Linux VM for that matter) either 1. does not recognize some CPU features (as introduced by the microcode on the host); 2. uses code to mitigate the Spectre vulnerability that doesn't work well inside a VM. Since I have a comparison versus Windows bare metal with Spectre protection enabled, there might be something that needs improving in the hypervisor. In any case, Spectre protection has to be enabled in the Windows VM to be effective, which is a real bummer considering the performance penalty. Any chance someone can look into the why there is this performance hit ONLY inside the qemu-kvm VM? Maybe there is a solution to it. -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1788665 Title: Low 2D graphics performance with Windows 10 (1803) VGA passthrough VM using "Spectre" protection Status in QEMU: New Bug description: Windows 10 (1803) VM using VGA passthrough via qemu script. After upgrading Windows 10 Pro VM to version 1803, or possibly after applying the March/April security updates from Microsoft, the VM would show low 2D graphics performance (sluggishness in 2D applications and low Passmark results). Turning off Spectre vulnerability protection in Windows remedies the issue. Expected behavior: qemu/kvm hypervisor to expose firmware capabilities of host to guest OS - see https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms Background: Starting in March or April Microsoft began to push driver updates in their updates / security updates. See https://support.microsoft.com /en-us/help/4073757/protect-your-windows-devices-against-spectre- meltdown One update concerns the Intel microcode - see https://support.microsoft.com/en-us/help/4100347. It is activated by default within Windows. Once the updates are applied within the Windows guest, 2D graphics performance drops significantly. Other performance benchmarks are not affected. A bare metal Windows installation does not display a performance loss after the update. See https://heiko-sieger.info/low-2d-graphics- benchmark-with-windows-10-1803-kvm-vm/ Similar reports can be found here: https://www.reddit.com/r/VFIO/comments/97unx4/passmark_lousy_2d_graphics_performance_on_windows/ Hardware: 6 core Intel Core i7-3930K (-MT-MCP-) Host OS: Linux Mint 19/Ubuntu 18.04 Kernel: 4.15.0-32-generic x86_64 Qemu: QEMU emulator version 2.11.1 Intel microcode (host): 0x714 dmesg | grep microcode [ 0.000000] microcode: microcode updated early to revision 0x714, date = 2018-05-08 [ 2.810683] microcode: sig=0x206d7, pf=0x4, revision=0x714 [ 2.813340] microcode: Microcode Update Driver: v2.2. Note: I manually updated the Intel microcode on the host from 0x713 to 0x714. However, both microcode versions produce the same result in the Windows guest. Guest OS: Windows 10 Pro 64 bit, release 1803 To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1788665/+subscriptions