Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Thu, Apr 04, 2019 at 10:14:21AM +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > > This will allow users to override the default behavior of virt-install > > which copies CPU security features available on the host to the guest > > XML if specific CPU model is configured. > > > > Signed-off-by: Pavel Hrdina > > --- > > man/virt-install.pod | 8 +- > > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > > tests/clitest.py | 1 + > > virtinst/cli.py | 1 + > > virtinst/domain/cpu.py| 7 +- > > 5 files changed, 108 insertions(+), 2 deletions(-) > > create mode 100644 > > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > > > diff --git a/man/virt-install.pod b/man/virt-install.pod > > index 8407e795..18d44808 100644 > > --- a/man/virt-install.pod > > +++ b/man/virt-install.pod > > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > > known to libvirt. > > > > Libvirt's feature policy values force, require, optional, disable, or > > forbid, > > or with the shorthand '+feature' and '-feature', which equal > > 'force=feature' > > -and 'disable=feature' respectively > > +and 'disable=feature' respectively. > > + > > +If exact CPU model is specified virt-install will automatically copy CPU > > +security features available on the host to mitigate recent CPU CVEs. > > I'd tweak it slightly to > > s/security features/features/ > > s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > > > +This however will have some impact on performance and will break migration > > +to hosts without security patches. In order to turn off this default > > behavior > > +there is a B parameter. Possible values are I and I. > > At the end, add > > , with I as the default. It is highly recommended to leave this > enabled and ensure all virtualization hosts have fully up to date > microcode, kernel & virtualization software installed. Thanks, I'll tweak it before pushing. Pavel signature.asc Description: PGP signature ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Thu, Apr 04, 2019 at 10:14:21AM +0100, Daniel P. Berrangé wrote: > On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > > This will allow users to override the default behavior of virt-install > > which copies CPU security features available on the host to the guest > > XML if specific CPU model is configured. > > > > Signed-off-by: Pavel Hrdina > > --- > > man/virt-install.pod | 8 +- > > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > > tests/clitest.py | 1 + > > virtinst/cli.py | 1 + > > virtinst/domain/cpu.py| 7 +- > > 5 files changed, 108 insertions(+), 2 deletions(-) > > create mode 100644 > > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > > > diff --git a/man/virt-install.pod b/man/virt-install.pod > > index 8407e795..18d44808 100644 > > --- a/man/virt-install.pod > > +++ b/man/virt-install.pod > > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > > known to libvirt. > > > > Libvirt's feature policy values force, require, optional, disable, or > > forbid, > > or with the shorthand '+feature' and '-feature', which equal > > 'force=feature' > > -and 'disable=feature' respectively > > +and 'disable=feature' respectively. > > + > > +If exact CPU model is specified virt-install will automatically copy CPU > > +security features available on the host to mitigate recent CPU CVEs. > > I'd tweak it slightly to > > s/security features/features/ > > s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > > > +This however will have some impact on performance and will break migration > > +to hosts without security patches. In order to turn off this default > > behavior > > +there is a B parameter. Possible values are I and I. > > At the end, add > > , with I as the default. It is highly recommended to leave this > enabled and ensure all virtualization hosts have fully up to date > microcode, kernel & virtualization software installed. With those changes applied Reviewed-by: Daniel P. Berrangé Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
Re: [virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
On Wed, Apr 03, 2019 at 03:52:49PM +0200, Pavel Hrdina wrote: > This will allow users to override the default behavior of virt-install > which copies CPU security features available on the host to the guest > XML if specific CPU model is configured. > > Signed-off-by: Pavel Hrdina > --- > man/virt-install.pod | 8 +- > .../compare/virt-install-cpu-disable-sec.xml | 93 +++ > tests/clitest.py | 1 + > virtinst/cli.py | 1 + > virtinst/domain/cpu.py| 7 +- > 5 files changed, 108 insertions(+), 2 deletions(-) > create mode 100644 > tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml > > diff --git a/man/virt-install.pod b/man/virt-install.pod > index 8407e795..18d44808 100644 > --- a/man/virt-install.pod > +++ b/man/virt-install.pod > @@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as > known to libvirt. > > Libvirt's feature policy values force, require, optional, disable, or forbid, > or with the shorthand '+feature' and '-feature', which equal 'force=feature' > -and 'disable=feature' respectively > +and 'disable=feature' respectively. > + > +If exact CPU model is specified virt-install will automatically copy CPU > +security features available on the host to mitigate recent CPU CVEs. I'd tweak it slightly to s/security features/features/ s/CPU CVEs/CPU speculative execution side channel security vulnerabilities./ > +This however will have some impact on performance and will break migration > +to hosts without security patches. In order to turn off this default > behavior > +there is a B parameter. Possible values are I and I. At the end, add , with I as the default. It is highly recommended to leave this enabled and ensure all virtualization hosts have fully up to date microcode, kernel & virtualization software installed. Regards, Daniel -- |: https://berrange.com -o-https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o-https://fstop138.berrange.com :| |: https://entangle-photo.org-o-https://www.instagram.com/dberrange :| ___ virt-tools-list mailing list virt-tools-list@redhat.com https://www.redhat.com/mailman/listinfo/virt-tools-list
[virt-tools-list] [virt-manager PATCH 3/5] cli: introduce CPU secure parameter
This will allow users to override the default behavior of virt-install
which copies CPU security features available on the host to the guest
XML if specific CPU model is configured.
Signed-off-by: Pavel Hrdina
---
man/virt-install.pod | 8 +-
.../compare/virt-install-cpu-disable-sec.xml | 93 +++
tests/clitest.py | 1 +
virtinst/cli.py | 1 +
virtinst/domain/cpu.py| 7 +-
5 files changed, 108 insertions(+), 2 deletions(-)
create mode 100644 tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
diff --git a/man/virt-install.pod b/man/virt-install.pod
index 8407e795..18d44808 100644
--- a/man/virt-install.pod
+++ b/man/virt-install.pod
@@ -216,7 +216,13 @@ required value is MODEL, which is a valid CPU model as
known to libvirt.
Libvirt's feature policy values force, require, optional, disable, or forbid,
or with the shorthand '+feature' and '-feature', which equal 'force=feature'
-and 'disable=feature' respectively
+and 'disable=feature' respectively.
+
+If exact CPU model is specified virt-install will automatically copy CPU
+security features available on the host to mitigate recent CPU CVEs.
+This however will have some impact on performance and will break migration
+to hosts without security patches. In order to turn off this default behavior
+there is a B parameter. Possible values are I and I.
Some examples:
diff --git a/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
new file mode 100644
index ..a86d6926
--- /dev/null
+++ b/tests/cli-test-xml/compare/virt-install-cpu-disable-sec.xml
@@ -0,0 +1,93 @@
+
+ foobar
+ ----
+ 65536
+ 65536
+ 1
+
+hvm
+
+
+
+
+
+
+
+qemu64
+
+
+
+
+
+
+ destroy
+
+
+
+
+
+/usr/bin/qemu-kvm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ foobar
+ ----
+ 65536
+ 65536
+ 1
+
+hvm
+
+
+
+
+
+
+
+qemu64
+
+
+
+
+
+
+
+
+
+
+
+/usr/bin/qemu-kvm
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/tests/clitest.py b/tests/clitest.py
index d3bd6044..e5abb0c0 100644
--- a/tests/clitest.py
+++ b/tests/clitest.py
@@ -603,6 +603,7 @@ c.add_invalid("--clock foo_tickpolicy=merge") # Unknown
timer
c.add_invalid("--security foobar") # Busted --security
c.add_compare("--cpuset auto --vcpus 2", "cpuset-auto") # --cpuset=auto
actually works
c.add_compare("--memory 1024,hotplugmemorymax=2048,hotplugmemoryslots=2 --cpu
cell0.cpus=0,cell0.memory=1048576 --memdev
dimm,access=private,target_size=512,target_node=0,source_pagesize=4,source_nodemask=1-2
--memdev
nvdimm,source_path=/path/to/nvdimm,target_size=512,target_node=0,target_label_size=128",
"memory-hotplug")
+c.add_compare("--connect " + utils.URIs.kvm_q35 + " --cpu qemu64,secure=off",
"cpu-disable-sec") # disable security features that are added by default
diff --git a/virtinst/cli.py b/virtinst/cli.py
index 5e90e225..dbb9cfd5 100644
--- a/virtinst/cli.py
+++ b/virtinst/cli.py
@@ -1791,6 +1791,7 @@ class ParserCPU(VirtCLIParser):
cls.add_arg("mode", "mode")
cls.add_arg("match", "match")
cls.add_arg("vendor", "vendor")
+cls.add_arg("secure", "secure", is_onoff=True)
cls.add_arg(None, "force", is_list=True, cb=cls.set_feature_cb)
cls.add_arg(None, "require", is_list=True, cb=cls.set_feature_cb)
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
index 34f34168..bf553449 100644
--- a/virtinst/domain/cpu.py
+++ b/virtinst/domain/cpu.py
@@ -64,6 +64,8 @@ class DomainCpu(XMLBuilder):
_XML_PROP_ORDER = ["mode", "match", "model", "vendor",
"sockets", "cores", "threads", "features"]
+secure = True
+
special_mode_was_set = False
# These values are exposed on the command line, so are stable API
SPECIAL_MODE_HOST_MODEL_ONLY = "host-model-only"
@@ -126,7 +128,10 @@ class DomainCpu(XMLBuilder):
self.mode = "custom"
if not self.match:
self.match = "exact"
-self._add_security_features(guest)
+if self.secure:
+self._add_security_features(guest)
+else:
+self._remove_security_features(guest)
self.model = val
def add_feature(self, name, policy="require"):
--
2.20.1
___
virt-tools-list mailing list
virt-tools-list@redhat.com
https://www.redhat.com/mailman/listinfo/virt-tools-list
