Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Thu, Apr 04, 2019 at 10:14:21AM +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > > This will allow users to override the default behavior of virt-install > > which copies CPU security features available on the host to the guest > > XML if specific CPU model is configured. > > > > Signed-off-by: Pavel Hrdina > > --- > > man/virt-install.pod | 8 +- > > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > > tests/clitest.py | 1 + > > virtinst/cli.py | 1 + > > virtinst/domain/cpu.py| 7 +- > > 5 files changed, 108 insertions(+), 2 deletions(-) > > create mode 100644 > > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > > > diff --git a/man/virt-install.pod b/man/virt-install.pod > > index 8407e795..18d44808 100644 > > --- a/man/virt-install.pod > > +++ b/man/virt-install.pod > > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > > known to libvirt. > > > > Libvirt's feature policy values force, require, optional, disable, or > > forbid, > > or with the shorthand '+feature' and '-feature', which equal > > 'force=feature' > > -and 'disable=feature' respectively > > +and 'disable=feature' respectively. > > + > > +If exact CPU model is specified virt-install will automatically copy CPU > > +security features available on the host to mitigate recent CPU CVEs. > > I'd tweak it slightly to > > s/security features/features/ > > s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > > > +This however will have some impact on performance and will break migration > > +to hosts without security patches. In order to turn off this default > > behavior > > +there is a B parameter. Possible values are I and I. > > At the end, add > > , with I as the default. It is highly recommended to leave this > enabled and ensure all virtualization hosts have fully up to date > microcode, kernel & virtualization software installed. Thanks, I'll tweak it before pushing. Pavel signature.asc Description: PGP signature ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Thu, Apr 04, 2019 at 10:14:21AM +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > > This will allow users to override the default behavior of virt-install > > which copies CPU security features available on the host to the guest > > XML if specific CPU model is configured. > > > > Signed-off-by: Pavel Hrdina > > --- > > man/virt-install.pod | 8 +- > > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > > tests/clitest.py | 1 + > > virtinst/cli.py | 1 + > > virtinst/domain/cpu.py| 7 +- > > 5 files changed, 108 insertions(+), 2 deletions(-) > > create mode 100644 > > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > > > diff --git a/man/virt-install.pod b/man/virt-install.pod > > index 8407e795..18d44808 100644 > > --- a/man/virt-install.pod > > +++ b/man/virt-install.pod > > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > > known to libvirt. > > > > Libvirt's feature policy values force, require, optional, disable, or > > forbid, > > or with the shorthand '+feature' and '-feature', which equal > > 'force=feature' > > -and 'disable=feature' respectively > > +and 'disable=feature' respectively. > > + > > +If exact CPU model is specified virt-install will automatically copy CPU > > +security features available on the host to mitigate recent CPU CVEs. > > I'd tweak it slightly to > > s/security features/features/ > > s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > > > +This however will have some impact on performance and will break migration > > +to hosts without security patches. In order to turn off this default > > behavior > > +there is a B parameter. Possible values are I and I. > > At the end, add > > , with I as the default. It is highly recommended to leave this > enabled and ensure all virtualization hosts have fully up to date > microcode, kernel & virtualization software installed. With those changes applied Reviewed-by: Daniel P. Berrangé Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > This will allow users to override the default behavior of virt-install > which copies CPU security features available on the host to the guest > XML if specific CPU model is configured. > > Signed-off-by: Pavel Hrdina > --- > man/virt-install.pod | 8 +- > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > tests/clitest.py | 1 + > virtinst/cli.py | 1 + > virtinst/domain/cpu.py| 7 +- > 5 files changed, 108 insertions(+), 2 deletions(-) > create mode 100644 > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > diff --git a/man/virt-install.pod b/man/virt-install.pod > index 8407e795..18d44808 100644 > --- a/man/virt-install.pod > +++ b/man/virt-install.pod > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > known to libvirt. > > Libvirt's feature policy values force, require, optional, disable, or forbid, > or with the shorthand '+feature' and '-feature', which equal 'force=feature' > -and 'disable=feature' respectively > +and 'disable=feature' respectively. > + > +If exact CPU model is specified virt-install will automatically copy CPU > +security features available on the host to mitigate recent CPU CVEs. I'd tweak it slightly to s/security features/features/ s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > +This however will have some impact on performance and will break migration > +to hosts without security patches. In order to turn off this default > behavior > +there is a B parameter. Possible values are I and I. At the end, add , with I as the default. It is highly recommended to leave this enabled and ensure all virtualization hosts have fully up to date microcode, kernel & virtualization software installed. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
[virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
This will allow users to override the default behavior of virt-install which copies CPU security features available on the host to the guest XML if specific CPU model is configured. Signed-off-by: Pavel Hrdina --- man/virt-install.pod | 8 +- .../compare/virt-install-cpu-disable-sec.xml | 93 +++ tests/clitest.py | 1 + virtinst/cli.py | 1 + virtinst/domain/cpu.py| 7 +- 5 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml diff --git a/man/virt-install.pod b/man/virt-install.pod index 8407e795..18d44808 100644 --- a/man/virt-install.pod +++ b/man/virt-install.pod @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as known to libvirt. Libvirt's feature policy values force, require, optional, disable, or forbid, or with the shorthand '+feature' and '-feature', which equal 'force=feature' -and 'disable=feature' respectively +and 'disable=feature' respectively. + +If exact CPU model is specified virt-install will automatically copy CPU +security features available on the host to mitigate recent CPU CVEs. +This however will have some impact on performance and will break migration +to hosts without security patches. In order to turn off this default behavior +there is a B parameter. Possible values are I and I. Some examples: diff --git a/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml new file mode 100644 index ..a86d6926 --- /dev/null +++ b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml @@ -0,0 +1,93 @@ + + foobar + ---- + 65536 + 65536 + 1 + +hvm + + + + + + + +qemu64 + + + + + + + destroy + + + + + +/usr/bin/qemu-kvm + + + + + + + + + + + + + + + + + + + + foobar + ---- + 65536 + 65536 + 1 + +hvm + + + + + + + +qemu64 + + + + + + + + + + + +/usr/bin/qemu-kvm + + + + + + + + + + + + + + + + + + diff --git a/tests/clitest.py b/tests/clitest.py index d3bd6044..e5abb0c0 100644 --- a/tests/clitest.py +++ b/tests/clitest.py @@ -603,6 +603,7 @@ c.add_invalid("--clock foo_tickpolicy=merge") # Unknown timer c.add_invalid("--security foobar") # Busted --security c.add_compare("--cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto actually works c.add_compare("--memory 1024,hotplugmemorymax=2048,hotplugmemoryslots=2 --cpu cell0.cpus=0,cell0.memory=1048576 --memdev dimm,access=private,target_size=512,target_node=0,source_pagesize=4,source_nodemask=1-2 --memdev nvdimm,source_path=/path/to/nvdimm,target_size=512,target_node=0,target_label_size=128", "memory-hotplug") +c.add_compare("--connect " + utils.URIs.kvm_q35 + " --cpu qemu64,secure=off", "cpu-disable-sec") # disable security features that are added by default diff --git a/virtinst/cli.py b/virtinst/cli.py index 5e90e225..dbb9cfd5 100644 --- a/virtinst/cli.py +++ b/virtinst/cli.py @@ -1791,6 +1791,7 @@ class ParserCPU(VirtCLIParser): cls.add_arg("mode", "mode") cls.add_arg("match", "match") cls.add_arg("vendor", "vendor") +cls.add_arg("secure", "secure", is_onoff=True) cls.add_arg(None, "force", is_list=True, cb=cls.set_feature_cb) cls.add_arg(None, "require", is_list=True, cb=cls.set_feature_cb) diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py index 34f34168..bf553449 100644 --- a/virtinst/domain/cpu.py +++ b/virtinst/domain/cpu.py @@ -64,6 +64,8 @@ class DomainCpu(XMLBuilder): _XML_PROP_ORDER = ["mode", "match", "model", "vendor", "sockets", "cores", "threads", "features"] +secure = True + special_mode_was_set = False # These values are exposed on the command line, so are stable API SPECIAL_MODE_HOST_MODEL_ONLY = "host-model-only" @@ -126,7 +128,10 @@ class DomainCpu(XMLBuilder): self.mode = "custom" if not self.match: self.match = "exact" -self._add_security_features(guest) +if self.secure: +self._add_security_features(guest) +else: +self._remove_security_features(guest) self.model = val def add_feature(self, name, policy="require"): -- 2.20.1 ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list