Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: libvirt (Ubuntu Bionic)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: qemu (Ubuntu Bionic)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
The Eoan Ermine has reached end of life, so this bug will not be fixed
for that release
** Changed in: libvirt (Ubuntu Eoan)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
The Eoan Ermine has reached end of life, so this bug will not be fixed
for that release
** Changed in: qemu (Ubuntu Eoan)
Status: New => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
A quick workaround for those who need hle and rtm CPU flags back is to
set the tsx=on kernel boot parameter:
# /etc/default/grub
...
GRUB_CMDLINE_LINUX_DEFAULT="... tsx=on"
...
update-grub
Tested on Ubuntu 20.04 with kernel 5.4.0-31-generic:
# uname -a
Linux com1-dev 5.4.0-31-generic
A while back Marc checked the case and realize that backporting the qemu
changes without anything in libvirt would make no sense - comment #21.
Now the things in libvirt exist, which is a step forward.
This still will be no transparent solution, people will have to switch
types if they can't run
Will these changes go into 18.04.x also?
-J
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for security are present in
This bug was fixed in the package libvirt - 6.0.0-0ubuntu6
---
libvirt (6.0.0-0ubuntu6) focal; urgency=medium
* d/p/ubuntu/lp-1867460-*: fix domcapabilities before capabilities
and binary autodetection in general (LP: #1867460)
* d/p/stable/lp-1868539-*: stabilize libvirt by
Upstream committed as:
dd17a4eba8 cpu_map: Add more -noTSX x86 CPU models
f4914045c2 cpu_map: Add element to x86 CPU model definitions
7cd896ef31 cpu_x86: Honor CPU models' element
17cdefe5f1 cpu_map: Don't use new noTSX models for host-model CPUs
I have replaced my patches with the final ones
Since tests are good I asked if they are ready to be committed and got:
[13:31] cpaelzer_: I'll commit it later today
With that I can later on replace the preliminary patches with the final
ones before an upload.
--
You received this bug notification because you are a member of Ubuntu
Bugs,
FYI Regression test is fine on this build, but waiting a bit to give it
a chance to be upstream committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm
Tests with the PPA build using the patches sent by Jiri (and my addition
of the noTSX types):
#1 virsh capabilities
Before:
Broadwell-noTSX-IBRS + 33 features
After:
Skylake-Client-noTSX-IBRS +24 features
=> good
#2 virsh domcapabilities
Before:
Skylake-Client-IBRS + 16 features
After:
PPA: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3986
MP:
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/380942
** Merge proposal linked:
https://code.launchpad.net/~paelzer/ubuntu/+source/libvirt/+git/libvirt/+merge/380942
--
You received
Updated task state to reflect my work with upstream to get libvirt to
know about this change.
** Changed in: libvirt (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => Christian Ehrhardt
(paelzer)
** Changed in: libvirt (Ubuntu)
Status: Won't Fix => Triaged
--
You
FYI I pinged on the list as I see that "auto-detect other cpu types" not
linked to the submission I made. But OTOH we can't go ahead integrating
this in Ubuntu ahead of time while not accepted or we would risk to
diverge making things even worse ...
--
You received this bug notification because
diverge ... details of names CPU types I mean, breaking cross system and
cross release behavior
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for
Now reply yet on v2:
https://www.redhat.com/archives/libvir-list/2020-March/msg00296.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for
FYI: discussion goes on, v2 now submitted to the thread on the ML
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for security are present in
Submitted to upstream libvirt as:
=> https://www.redhat.com/archives/libvir-list/2020-March/msg00175.html
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm
List of types to consider adding by comparing qemu qmp output of cpu
probing with cpu_maps of libvirt:
-Cascadelake-Server-noTSX
-Icelake-Client-noTSX
-Icelake-Server-noTSX
-Skylake-Server-noTSX-IBRS
-Skylake-Client-noTSX-IBRS
--
You received this bug notification because you are a member of
Upstream agrees, we need to add new types to libvirt.
The Discussion is still ongoing but I'm prepping a submission of those types ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
FYI: bug 1861643 might be a new symptom of the same root cause. If that
is confirmed we might bump this for re-considering our options ... again
(at least going forward we might want to add Skylake-Client-noTSX-IBRS
and such to qemu in Focal).
--
You received this bug notification because you
.. or adding the types to libvirt, whatever is needed to at least limit
the impact of dropping hle/rtm in 20.04 ...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and
** Changed in: libvirt (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for security are present in
I don't know what the way forward is to resolve this issue. While
upstream qemu has added some new CPU models, "Skylake-Client-noTSX-
IBRS", "Skylake-Server-noTSX-IBRS", etc, libvirt has not. If I do add
these to libvirt, we will need to carry them forward as a delta to
upstream possibly forever.
These look like the list of commits to support recent kernel/microcode
feature updates:
qemu:
https://git.qemu.org/?p=qemu.git;a=commit;h=7fac38635e1cc5ebae34eb6530da1009bd5808e4
(taa)
https://git.qemu.org/?p=qemu.git;a=commit;h=0723cc8a5558c94388db75ae1f4991314914edd3
(vmx)
FYI: I pinged the security Team again on this one to be sure it doesn't
fall through the cracks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for
Hi,
There is also the microcode package where Intel has published and
updated these flags. So this in combination with the kernel might cause
these errors.
-J
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Oh so you seem to have a combination of HW/FW/Kernel that gets along with it.
But for e.g. a Hosting environment please be aware of the "SMT vulnerable"
unless you don't have SMT disabled anyway.
Since different systems (HW/FW/Kernel) will behave differently I think this
issue isn't resolved
Here you are:
$ grep . /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Mitigation: Split
huge pages
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion; VMX:
conditional cache flushes, SMT vulnerable
@Nobuto:
Interesting what is your:
grep . /sys/devices/system/cpu/vulnerabilities/*
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for security are
> @Nobuto - has your system any of the above kernel parameters set
manually?
No, we don't have any flags in kernel parameters related to tsx or
similar.
FWIW, I haven't tested any older kernel to check if those flags are
available. But we are using Intel(R) Xeon(R) Gold 6150 CPU @ 2.70GHz.
--
You said this might have been resolved differently anyway with the newest
kernel having again hle/rtm enabled - I haven't heard about it but that would
probably be even better.
Lets see on the kernel side.
- Fixes for CVE-2019-11135 got added in 4.15.0-69.78
- This was reported against 4.15.0-70
I'm not sure I'm following the discussion here, but I see hle and rtm
flags with the latest security update for bionic GA kernel. So looks
like the issue is not reproducible any longer. Am I missing something?
$ dpkg -l | grep linux-image
ii linux-image-4.15.0-72-generic 4.15.0-72.81
FYI: I got message from sbeattie that security will take a look at the
backports for these qemu fixes.
For libvirt we can check again then if the types got updated, and if no
one did I can send something there as well.
--
You received this bug notification because you are a member of Ubuntu
Subscribed ~field-medium
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1853200
Title:
cpu features hle and rtm disabled for security are present in
/usr/share/libvirt/cpu_map.xml
To manage
This was now accepted upstream in qemu.
[1] is the merge commit containing the new names discussed here 02fa60d1 /
9ab2237f but also tsx-ctrl which seems to be part of the overall tsx handlign
and not yet part of the patches of last week 2a9758c5.
@security - are you gonna take a look at
Patches are in progress for new CPU models with TSX disabled:
https://lists.gnu.org/archive/html/qemu-devel/2019-11/msg03323.html
(Thanks Cpaelzer and Kashyap)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
A small addendum to what Corey said: Upstream QEMU will mostly providing
new named CPU models with 'hle' and 'rtm' CPU flags turned off.
Keep an eye on the upstream 'qemu-devel' list :-)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
@Cpaelzer there were alas no discussions pre-disclosure beyond adding
the basic taa-no and pschange-mc-no flag support to qemu.
We can definitely add text to the USN about this; let's get it in the
KnowledgeBase article first since that's easier to modify.
--
You received this bug notification
I chatted with Kashyap in #openstack-nova and he has a blueprint up for
disabling CPU feature flags at:
https://blueprints.launchpad.net/nova/+spec/allow-disabling-cpu-flags
Kashyap mentioned an option for now: One (very valid) 'workaround' is
that have QEMU add new "named CPU models" to remove
There's a related fix for enabling CPU feature flags that landed in
upstream nova and charm-nova-compute via LP: #1750829 as a result of
Meltdown.
There's mention in the upstream fix [1] that a future patch will allow
disabling of CPU feature flag but I'm not sure if that has landed. I'll
dig
@UCA-Team
I'm also subscribing the UCA Team as I personally only know about [1] which
allows you to use named CPU models.
I expect there already is some general pattern established to handle e.g. the
older MDS which if you look at "Configuration as a Hypervisor" at [2] also
needs such
I found no changes since the CRD nor a discussion on the ML of qemu or libvirt.
There are the backported fixes that add taa-no and pschange-mc-no to qemu - but
nothing touches hle/rtm yet.
The general answer of of the virt stack avoiding type proliferation are
versioned CPU models.
=>
Hi Dave,
IIRC Openstack either tries to determine the least common denominator (in cpu
features) or whatever you pass to hi, in your case that was:
[libvirt]
cpu_mode = custom
cpu_model = Skylake-Server-IBRS
And your guest definition won't change after the initial definition.
Even if you would
** Description changed:
When trying to launch an instance in OpenStack Queens on Ubuntu 18.04
with the new kernels, this error happens:
Error: Failed to perform requested operation on instance "david", the
instance has an error status: Please try again later [Error: Exceeded
maximum
46 matches
Mail list logo
