On Wed, 14 Feb 2018 10:12:13 -0600
Michael Roth <mdr...@linux.vnet.ibm.com> wrote:

> This blog entry is intended as a follow-up to the original entry in
> January regarding Spectre/Meltdown and the proposed changes to address
> them in the upcoming 2.11.1 release.
> 
> This entry is meant to accompany the 2.11.1 release (planned for
> 2018-02-14) and document how to make use of the new options for
> various architectures.
> 
> Cc: Eduardo Habkost <ehabk...@redhat.com>
> Cc: Paolo Bonzini <pbonz...@redhat.com>
> Cc: Peter Maydell <peter.mayd...@linaro.org>
> Cc: Suraj Jitindar Singh <sjitindarsi...@gmail.com>
> Cc: David Gibson <da...@gibson.dropbear.id.au>
> Cc: Christian Borntraeger <borntrae...@de.ibm.com>
> Cc: Cornelia Huck <coh...@redhat.com>
> Cc: Thomas Huth <th...@redhat.com>
> Cc: Bruce Rogers <brog...@suse.com>
> Cc: Daniel P. Berrangé <berra...@redhat.com>
> Cc: David Hildenbrand <da...@redhat.com>
> Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
> ---
> v2:
>  * s/by itself that/by itself for that/ (Bruce)
>  * make example formats more consistent (Bruce)
>  * clarify wording WRT to host-side security (Daniel, Paolo)
>  * general wording/formatting fix-ups (Thomas)
>  * s/options/feature bits/ (Cornelia)
>  * clarify s390x CPU feature defaults (Thomas/Cornelia/Christian/David)
>  * clarify s390x migration compatibility statement (Cornelia)
> 
> Thank you for the review!

Thank you for writing this blog post!

> 
>  .../2018-02-14-qemu-2-11-1-and-spectre-update.md   | 190 
> +++++++++++++++++++++
>  1 file changed, 190 insertions(+)
>  create mode 100644 _posts/2018-02-14-qemu-2-11-1-and-spectre-update.md

> +## Enabling mitigation features for s390x KVM guests
> +
> +For s390x guests there are 2 CPU feature bits relating to Spectre/Meltdown:
> +
> +* bpb: Branch prediction blocking
> +* ppa15: PPA15 is installed
> +
> +**bpb** requires a host kernel patched with:
> +
> +    commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60
> +    KVM: s390: wire up bpb feature
> +
> +and both **bpb** and **ppa15** require a firmware with the appropriate 
> support
> +level as well as guest kernel patches to enable the functionality within
> +guests. Please check with your distro/vendor to confirm.
> +
> +Both **bpb** and **ppa15** are enabled by default with newer/patched host
> +kernels, and can also be set manually. For example:
> +
> +    qemu-system-s390x -M s390-ccw-virtio-2.11 ... \
> +      -cpu zEC12,bpb=on,ppa15=on 
> +
> +Both **bpb** and **ppa15** are enabled by default when using "-cpu host"
> +and when the host kernels supports these facilities. For other CPU
> +models, the flags have to be set manually. For example:
> +
> +    qemu-system-s390x -M s390-ccw-virtio-2.11 ... \
> +      -cpu zEC12,bpb=on,ppa15=on
> +
> +With regard to migration, enabling **bpb** or **ppa15** feature flags 
> requires
> +that the source/target also those flags enabled. 

s/also those/also has those/

> Since this is enabled by
> +default for '-cpu host' (when available on the host), you must ensure that
> +**bpb**=off,**ppa15**=off is used if you wish to maintain migration
> +compatibility with existing guests when using '-cpu host', or take steps to
> +reboot guests with **bpb**/**ppa15** enabled prior to migration.

Otherwise, s390 part looks good to me.

Reply via email to