On 14.02.2018 10:18, Christian Borntraeger wrote: > > > On 02/14/2018 10:11 AM, Cornelia Huck wrote: >> On Tue, 13 Feb 2018 18:11:05 -0600 >> Michael Roth <mdr...@linux.vnet.ibm.com> wrote: >> >>> This blog entry is intended as a follow-up to the original entry in >>> January regarding Spectre/Meltdown and the proposed changes to address >>> them in the upcoming 2.11.1 release. >>> >>> This entry is meant to accompany the 2.11.1 release (planned for >>> 2018-02-14) and document how to make use of the new options for >>> various architectures. >>> >>> Cc: Eduardo Habkost <ehabk...@redhat.com> >>> Cc: Paolo Bonzini <pbonz...@redhat.com> >>> Cc: Peter Maydell <peter.mayd...@linaro.org> >>> Cc: Suraj Jitindar Singh <sjitindarsi...@gmail.com> >>> Cc: David Gibson <da...@gibson.dropbear.id.au> >>> Cc: Christian Borntraeger <borntrae...@de.ibm.com> >>> Cc: Cornelia Huck <coh...@redhat.com> >>> Cc: Thomas Huth <th...@redhat.com> >>> Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com> >>> --- >>> >>> The pseries/s390 bits have gotten some initial review (thanks >>> Suraj/Christian), >>> but it can definitely use some additional review on the x86 side of things. >>> >>> Also, Peter if think anything extra should to be mentioned on the ARM side >>> just >>> let me know what to add. >>> >>> .../2018-02-14-qemu-2-11-1-and-spectre-update.md | 180 >>> +++++++++++++++++++++ >>> 1 file changed, 180 insertions(+) >>> create mode 100644 _posts/2018-02-14-qemu-2-11-1-and-spectre-update.md >> >> [some comments/questions regarding s390 cpu models, adding DavidH on cc:] >> >>> +## enabling mitigations for s390 KVM guests >>> + >>> +For s390 guests there are 2 CPU options relating to Spectre/Meltdown: >> >> s/options/feature bits/ ? >> >>> + >>> +* bpb: Branch prediction blocking >>> +* ppa15: PPA15 is installed >>> + >>> +**bpb** requires a host kernel patched with: >>> + >>> + commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60 >>> + KVM: s390: wire up bpb feature >>> + >>> +and both **bpb** and **ppa15** require a firmware with the appropriate >>> support >>> +level as well as guest kernel patches to enable the functionality within >>> +guests. Please check with your distro/vendor to confirm. >>> + >>> +Both **bpb** and **ppa15** are enabled by default with newer/patched host >>> +kernels, and can also be set manually. For example: >>> + >>> + qemu-system-s390x -M s390-ccw-virtio-2.11 ... \ >>> + -cpu zEC12,bpb=on,ppa15=on >> >> Do we also want to add that bpb/ppa15 are on if you use the _full_ >> model (as opposed to the _base_ model)? Or is this going into too much >> detail about the cpu model? > > full model is just an internal implementation. > Either use > - host passthrough > - host model > - add bpb and ppa15 manually to the choosen model (e.g. z13,bpb=on,ppa15=on)
Ack. They won't be enabled by existing base (e.g. z13-base) or default (e.g. z13) CPU models. The full models are internal only. So "-cpu host" or "-cpu [MODEL],bpb=on,ppa15=on" are the only two options on the QEMU command line level. -- Thanks, David / dhildenb
