On Tue, May 15, 2018 at 05:52:14PM +0100, Ben Hutchings wrote: > In order to support Spectre v2 mitigation in Windows guests, I believe > the microcoded mitigation features (IBPB and IBRS) need to be exposed > to them. This may also be useful for Linux guests using OVMF, unless > it is rebuilt with the retpoline mitigation. > > The kernel side of this in KVM was already implemented in version > 4.9.82-1+deb9u1, although the microcode updates are not yet in stable. > > libvirt and qemu (and maybe other related packages) also need to be > updated so that they recognise and enable the new CPU feature bits for > guests. Is this likely to be doable?
With <cpu mode='host-passthrough'/> libvirt should already work iff qemu handles ibpb and ibrs (1.12.0 and 1.11.1 onward according to ¹). I've just tested this on sid with 1.12 and Westmere-IBRS and the recent microcode update. For stable we need to update libvirt's cpu_map.xml to support non host-passthrough configuration. E.g. virt-manager uses host-model which needs an updated cpu_map.xml. Cheers, -- Guido ¹) https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/
