2018-01-18 18:49 GMT+08:00 Daniel P. Berrange <berra...@redhat.com>: > On Thu, Jan 18, 2018 at 06:38:57PM +0800, Li Qiang wrote: > > Hi Paolo, all, > > > > I have a question about the intel microcode update for spectre variant#2. > > From my understanding, there is no need to update the microcode of VMs > > because the kvm has expose the SPEC_CTL and PRED_CMD to the guest. > > Also, if we need to update the micorcode in guest, who is the vendor for > > this. > > From the hyper-v, I think I'm right. > > --> > > https://docs.microsoft.com/en-us/virtualization/hyper-v-on- > windows/CVE-2017-5715-and-hyper-v-vms > > > > But upon I update the centos guest, the host kvm/qemu has been updated. > > The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the > > microcode in the guest. > > If I update the guest micorcode, the are both 1. > > > > So I want to know, if I should update the microcode in guest. > > If the answer is Yes, then what about the Windows guest, how to update > the > > microcode? > > Microcode updates are only applicable to the physical CPUs seen by the > host. There is no concept of microcde for virtual CPUs in the guest. The > guest merely sees whatever CPU feature the hypervisor has permitted it to > see. IOW, as described in that microsoft link, you need to > > - Update microcode and/or firmware in host > - Update host hypervisor software > - Change hypervisor config for each guest to enable new CPU features > - Update guest software (kernel) > - Cold boot (ie fully shutoff, and then power on) the guest > > You are right. I have made a mistake, the test guest centos doesn't schedule to the host which I have updated the kvm/qemu. Thanks!
Li Qiang > Regards, > Daniel > -- > |: https://berrange.com -o- https://www.flickr.com/photos/ > dberrange :| > |: https://libvirt.org -o- > https://fstop138.berrange.com :| > |: https://entangle-photo.org -o- https://www.instagram.com/ > dberrange :| >
