On 15.07.2024 10:48, Fonyuy-Asheri Caleb wrote:
>>>> On 15.07.2024 09:38, Fonyuy-Asheri Caleb wrote:
>>>>>> Perhaps the more important question, are you booting the skylake with
>>>>>> cpuid=no-avx on the command line by any chance?
>>>>>
>>>>> No. I didn't boot any of the machines with any cpuid modification
>>>>> whatsoever.
>>>>
>>>> Yet is there perhaps "Mitigating GDS by disabling AVX" in the boot log of
>>>> the hypervisor (which sadly so far you didn't supply anywhere afaics)?
>>>
>>> I didn't notice that. Unfortunately I no longer have access to the logs to
>>> check
>>> since I was
>>> working on resources I reserved for a limited period.
>>>
>>> However, do you mind telling me what this would mean for my environment?
>>
>> Hard to tell, depending on what exactly you use that environment for. If
>> I'm not mistaken (Andrew will surely correct me if I'm wrong), the best
>> you can do is have such systems run with up-to-date microcode. Which of
>> course requires you have control over the physical system (to update
>> firmware) or at least the hypervisor (to hand it a microcode blob to load
>> while booting). If you had control over only the command line, you could
>> also choose to ignore the vulnerability and request AVX not to be turned
>> off ("spec-ctrl=no-gds-mit"). Yet of course you wouldn't want to do this
>> if you were running any not fully trusted guests.
>
> Quick verification: cpuid=no-avx and spec-ctrl=no-gds-mit are options
> passed to the grub right?
They're options passed to Xen. If you use grub as the boot loader, then
they would need putting _in_ respective grub config files / scripts.
Jan
