diff options
| author | Zuul <zuul@review.openstack.org> | 2018-10-03 15:14:55 +0000 |
|---|---|---|
| committer | Gerrit Code Review <review@openstack.org> | 2018-10-03 15:14:56 +0000 |
| commit | 85d63074dc6444fae2dff9bba4a4d3b6bef9e174 (patch) | |
| tree | 50388c6fb16bdbfa846ecb76679066dc012023d3 | |
| parent | 3537a09d6087c76d45a5dccbdc46e1bf20f150ae (diff) | |
| parent | c85f5e22e1cb8afd756341517bd7284ffc8e505b (diff) | |
| download | nova-85d63074dc6444fae2dff9bba4a4d3b6bef9e174.tar.gz | |
Merge "[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags" into stable/ocata
| -rw-r--r-- | nova/conf/libvirt.py | 16 | ||||
| -rw-r--r-- | releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml | 8 |
2 files changed, 17 insertions, 7 deletions
diff --git a/nova/conf/libvirt.py b/nova/conf/libvirt.py index 5c6b801cb5..491f3604fb 100644 --- a/nova/conf/libvirt.py +++ b/nova/conf/libvirt.py @@ -520,7 +520,7 @@ Related options: cfg.ListOpt( 'cpu_model_extra_flags', item_type=types.String( - choices=['pcid', 'ssbd', 'virt-ssbd'], + choices=['pcid', 'ssbd', 'virt-ssbd', 'amd-ssbd', 'amd-no-ssb'], ignore_case=True, ), default=[], @@ -536,11 +536,11 @@ virtual CPU model:: cpu_model_extra_flags = pcid Currently, the choice is restricted to a few options: ``pcid``, -``ssbd``, and ``virt-ssbd`` (the options are case-insensitive, so -``PCID`` is also valid, for example). These flags are now required to -address the guest performance degradation as a result of applying the -"Meltdown" CVE fixes (``pcid``) and exposure mitigation (``ssbd`` and -``virt-ssbd``) on affected CPU models. +``ssbd``, ``virt-ssbd``, ``amd-ssbd``, and ``amd-no-ssb`` (the options +are case-insensitive, so ``PCID`` is also valid, for example). These +flags are now required to address the guest performance degradation as +a result of applying the "Meltdown" CVE fixes (``pcid``) and exposure +mitigation (``ssbd`` and related options) on affected CPU models. Note that when using this config attribute to set the 'PCID' and related CPU flags, not all virtual (i.e. libvirt / QEMU) CPU models @@ -554,13 +554,15 @@ need it: even if the host CPUs by the same name include it. I.e. 'PCID' needs to be explicitly specified when using the said virtual CPU models. -For more information about ``ssbd`` and ``virt-ssbd`` applicability, +For more information about ``ssbd`` and related options, please refer to the following security updates: https://www.us-cert.gov/ncas/alerts/TA18-141A https://www.redhat.com/archives/libvir-list/2018-May/msg01562.html +https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html + For now, the ``cpu_model_extra_flags`` config attribute is valid only in combination with ``cpu_mode`` + ``cpu_model`` options. diff --git a/releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml b/releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml new file mode 100644 index 0000000000..5d8e9d54ed --- /dev/null +++ b/releasenotes/notes/libvirt-cpu-model-extra-flags-amd-ssbd-1c0d0cec14073dec.yaml @@ -0,0 +1,8 @@ +--- +security: + - | + The 'AMD-SSBD' and 'AMD-NO-SSB' flags have been added to the list of available + choices for the ``[libvirt]/cpu_model_extra_flags`` config option. These are + important for proper mitigation of security issues in AMD CPUs. For more + information see + https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
\ No newline at end of file |