On Wed, 14 Feb 2018 10:05:24 +0100 Thomas Huth <th...@redhat.com> wrote:
> On 14.02.2018 01:11, Michael Roth wrote: > > +## enabling mitigations for s390 KVM guests > > + > > +For s390 guests there are 2 CPU options relating to Spectre/Meltdown: > > + > > +* bpb: Branch prediction blocking > > +* ppa15: PPA15 is installed > > + > > +**bpb** requires a host kernel patched with: > > + > > + commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60 > > + KVM: s390: wire up bpb feature > > + > > +and both **bpb** and **ppa15** require a firmware with the appropriate > > support > > +level as well as guest kernel patches to enable the functionality within > > +guests. Please check with your distro/vendor to confirm. > > + > > +Both **bpb** and **ppa15** are enabled by default with newer/patched host > > +kernels, and can also be set manually. For example: > > + > > + qemu-system-s390x -M s390-ccw-virtio-2.11 ... \ > > + -cpu zEC12,bpb=on,ppa15=on > > IIRC we only enable them by default with "-cpu host" ? Cornelia, David, > Christian, can you confirm? -cpu host enables them if present, as does specifying the full model (which will fail if not present on the host). > So maybe better rephrase the above to: > > Both **bpb** and **ppa15** are enabled by default when using "-cpu host" > and when the host kernels supports these facilities. For other CPU "and when both the host hardware and the host kernel supports..." ? (Although that's still a bit misleading, as we only require the bpb KVM interface; otherwise, the controls are pretty much independent from what the host is doing IIUC.] > models, the flags have to be set manually. For example: > > qemu-system-s390x -M s390-ccw-virtio-2.11 ... \ > -cpu zEC12,bpb=on,ppa15=on > > > +WRT to migration, enabling **bpb** requires the source/target also have > > **bpb** > > +enabled. Since this is enabled by default, you must ensure that > > **bpb**=off if > > s/**bpb**=off/**bpb**=off is used/ ? > > > +you wish to maintain migration compatibility with existing guests, or take > > +steps to reboot guests with **bpb** enabled prior to migrating them. > > Thomas