KSM exposes a guest's virtual memory to side-channel attacks. Add a VM
configuration option to disable KSM for specific VMs that need to be
protected against such attacks. This makes it possible to still
benefit from KSM for other processes on the host rather than needing
to turn of KSM completely.
Signed-off-by: Fiona Ebner <f.eb...@proxmox.com>
---
PVE/QemuServer.pm | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/PVE/QemuServer.pm b/PVE/QemuServer.pm
index 808c0e1c..018cdf18 100644
--- a/PVE/QemuServer.pm
+++ b/PVE/QemuServer.pm
@@ -723,6 +723,13 @@ EODESCR
description => "List of host cores used to execute guest processes, for
example: 0,5,8-11",
optional => 1,
},
+ 'allow-ksm' => {
+ type => 'boolean',
+ description => "Allow memory pages of this guest to be merged via KSM
(Kernel Samepage"
+ ." Merging).",
+ optional => 1,
+ default => 1,
+ },
};
my $cicustom_fmt = {
@@ -3994,6 +4001,8 @@ sub config_to_command {
push @$machineFlags, 'confidential-guest-support=sev0';
}
+ push @$machineFlags, 'mem-merge=off' if defined($conf->{'allow-ksm'}) &&
!$conf->{'allow-ksm'};
+
push @$cmd, @$devices;
push @$cmd, '-rtc', join(',', @$rtcFlags) if scalar(@$rtcFlags);
push @$cmd, '-machine', join(',', @$machineFlags) if
scalar(@$machineFlags);
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
