Hi Stefan, thanks for the infos!
>>At least ssbd is important for guest to mitigate CVE-2018-3639. This need qemu 3.0 :/ https://wiki.qemu.org/ChangeLog/3.0 "The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)" maybe can we try to backport them ? https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd >>It also seems to make sense to enable pdpe1gb is it related to a vulnerability ? it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside. I think pdpe1gb expose hugepage inside the guest, right ? ----- Mail original ----- De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> À: "pve-devel" <pve-devel@pve.proxmox.com> Envoyé: Vendredi 17 Août 2018 13:30:10 Objet: [pve-devel] missing cpu flags? (CVE-2018-3639) Hello, after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/ It seems pve misses at least the following cpu flag: ssbd It also seems to make sense to enable pdpe1gb At least ssbd is important for guest to mitigate CVE-2018-3639. Greets, Stefan Excuse my typo sent from my mobile phone. _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
