On Wed, 14 Feb 2018 10:12:13 -0600 Michael Roth <mdr...@linux.vnet.ibm.com> wrote:
> This blog entry is intended as a follow-up to the original entry in > January regarding Spectre/Meltdown and the proposed changes to address > them in the upcoming 2.11.1 release. > > This entry is meant to accompany the 2.11.1 release (planned for > 2018-02-14) and document how to make use of the new options for > various architectures. > > Cc: Eduardo Habkost <ehabk...@redhat.com> > Cc: Paolo Bonzini <pbonz...@redhat.com> > Cc: Peter Maydell <peter.mayd...@linaro.org> > Cc: Suraj Jitindar Singh <sjitindarsi...@gmail.com> > Cc: David Gibson <da...@gibson.dropbear.id.au> > Cc: Christian Borntraeger <borntrae...@de.ibm.com> > Cc: Cornelia Huck <coh...@redhat.com> > Cc: Thomas Huth <th...@redhat.com> > Cc: Bruce Rogers <brog...@suse.com> > Cc: Daniel P. Berrangé <berra...@redhat.com> > Cc: David Hildenbrand <da...@redhat.com> > Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com> > --- > v2: > * s/by itself that/by itself for that/ (Bruce) > * make example formats more consistent (Bruce) > * clarify wording WRT to host-side security (Daniel, Paolo) > * general wording/formatting fix-ups (Thomas) > * s/options/feature bits/ (Cornelia) > * clarify s390x CPU feature defaults (Thomas/Cornelia/Christian/David) > * clarify s390x migration compatibility statement (Cornelia) > > Thank you for the review! Thank you for writing this blog post! > > .../2018-02-14-qemu-2-11-1-and-spectre-update.md | 190 > +++++++++++++++++++++ > 1 file changed, 190 insertions(+) > create mode 100644 _posts/2018-02-14-qemu-2-11-1-and-spectre-update.md > +## Enabling mitigation features for s390x KVM guests > + > +For s390x guests there are 2 CPU feature bits relating to Spectre/Meltdown: > + > +* bpb: Branch prediction blocking > +* ppa15: PPA15 is installed > + > +**bpb** requires a host kernel patched with: > + > + commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60 > + KVM: s390: wire up bpb feature > + > +and both **bpb** and **ppa15** require a firmware with the appropriate > support > +level as well as guest kernel patches to enable the functionality within > +guests. Please check with your distro/vendor to confirm. > + > +Both **bpb** and **ppa15** are enabled by default with newer/patched host > +kernels, and can also be set manually. For example: > + > + qemu-system-s390x -M s390-ccw-virtio-2.11 ... \ > + -cpu zEC12,bpb=on,ppa15=on > + > +Both **bpb** and **ppa15** are enabled by default when using "-cpu host" > +and when the host kernels supports these facilities. For other CPU > +models, the flags have to be set manually. For example: > + > + qemu-system-s390x -M s390-ccw-virtio-2.11 ... \ > + -cpu zEC12,bpb=on,ppa15=on > + > +With regard to migration, enabling **bpb** or **ppa15** feature flags > requires > +that the source/target also those flags enabled. s/also those/also has those/ > Since this is enabled by > +default for '-cpu host' (when available on the host), you must ensure that > +**bpb**=off,**ppa15**=off is used if you wish to maintain migration > +compatibility with existing guests when using '-cpu host', or take steps to > +reboot guests with **bpb**/**ppa15** enabled prior to migration. Otherwise, s390 part looks good to me.