From 29f815fbd23082dff79d2d716e32a644b5a15d4a Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Fri, 29 Mar 2019 10:22:08 +0100
Subject: domcapabilities: remove recommended CPU features from security
 features
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

These features are only recommended to be enabled since they improve
performance of the VMs if security features are enabled.

pcid is a very useful perf feature, but missing in some silicon
so not portable.

pdpe1gb lets the guest use 1 GB pages which is good for perf
but again not all silicon can do it.

amd-ssbd is a security feature which fixes the same SSBD flaws as the
virt-ssbd feature does. virt-ssbd is usable across all CPU models
affected by SSBD, while amd-ssbd is only available in very new silicon.
So virt-ssbd is the bette rchoice.

amd-no-ssb just indicates that the CPU is not affected by SSBD, so not
critical to expose. I expect a future named CPU model will include that
where appropriate.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
---
 virtinst/domcapabilities.py | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

(limited to 'virtinst/domcapabilities.py')

diff --git a/virtinst/domcapabilities.py b/virtinst/domcapabilities.py
index d1b0f4ed..72844512 100644
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder):
 
     def get_cpu_security_features(self):
         sec_features = [
-                'pcid',
                 'spec-ctrl',
                 'ssbd',
-                'pdpe1gb',
                 'ibpb',
-                'virt-ssbd',
-                'amd-ssbd',
-                'amd-no-ssb']
+                'virt-ssbd']
 
         features = []
 
-- 
cgit v1.2.1