diff options
author | Pavel Hrdina <phrdina@redhat.com> | 2019-03-29 10:22:08 +0100 |
---|---|---|
committer | Pavel Hrdina <phrdina@redhat.com> | 2019-04-04 11:49:29 +0200 |
commit | 29f815fbd23082dff79d2d716e32a644b5a15d4a (patch) | |
tree | afcf8e2ea9f55eb35abee3dd02cc0129c8aff787 /virtinst/domcapabilities.py | |
parent | c6b5f22fa61d87557b5fab23be080073d2f7906e (diff) | |
download | virt-manager-29f815fbd23082dff79d2d716e32a644b5a15d4a.tar.gz |
domcapabilities: remove recommended CPU features from security features
These features are only recommended to be enabled since they improve
performance of the VMs if security features are enabled.
pcid is a very useful perf feature, but missing in some silicon
so not portable.
pdpe1gb lets the guest use 1 GB pages which is good for perf
but again not all silicon can do it.
amd-ssbd is a security feature which fixes the same SSBD flaws as the
virt-ssbd feature does. virt-ssbd is usable across all CPU models
affected by SSBD, while amd-ssbd is only available in very new silicon.
So virt-ssbd is the bette rchoice.
amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
critical to expose. I expect a future named CPU model will include that
where appropriate.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'virtinst/domcapabilities.py')
-rw-r--r-- | virtinst/domcapabilities.py | 6 |
1 files changed, 1 insertions, 5 deletions
diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py index d1b0f4ed..72844512 100644 --- a/virtinst/domcapabilities.py +++ b/virtinst/domcapabilities.py @@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder): def get_cpu_security_features(self): sec_features = [ - 'pcid', 'spec-ctrl', 'ssbd', - 'pdpe1gb', 'ibpb', - 'virt-ssbd', - 'amd-ssbd', - 'amd-no-ssb'] + 'virt-ssbd'] features = [] |