Public bug reported: In addition to the existing 'virt-ssbd', future AMD CPUs will have _two_ ways to deal with SSBD (Speculative Store Bypass Disable). To that AMD will be introducing two more[1][2] CPU flags:
amd-ssbd amdb-no-ssb It is recommended to add the above two flags to the whitelist of Nova's `cpu_model_extra_flags` config attribute -- for stable branches (Queens, Pike and Ocata). For Rocky and above release, no such white-listing is required, since we allow free-form CPU flags[3]. * * * Additional notes (from the QEMU mailing list thread[4]) related to performance and live migration: - tl;dr: On an AMD Compute node, a guest should be presented with 'amd-ssbd', if available, in preference to 'virt-ssbd'. Details: Tom Lendacky from AMD writes[4] -- "The idea behind 'virt-ssbd' was to provide an architectural method for a guest to do SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use SPEC_CTRL which is intended to not be intercepted and will be fast. The use of 'virt-ssbd' will always be intercepted and therefore will not be as fast. So a guest should be presented with 'amd-ssbd', if available, in preference to 'virt-ssbd'." - It safe to use 'amd-ssbd' (it is an architectural method for a guest to do SSBD) in a guest which can be live migrated between different generations/families of AMD CPU. [1] libvirt patch: https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html [2] QEMU patch: https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg00222.html [3] http://git.openstack.org/cgit/openstack/nova/commit/?id=cc27a20 -- libvirt: Lift the restriction of choices for `cpu_model_extra_flags` [4] https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg02301.html ** Affects: nova Importance: Undecided Status: New ** Tags: pike-backport-potential queens-backport-potential security -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1777460 Title: Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd- no-ssb') Status in OpenStack Compute (nova): New Bug description: In addition to the existing 'virt-ssbd', future AMD CPUs will have _two_ ways to deal with SSBD (Speculative Store Bypass Disable). To that AMD will be introducing two more[1][2] CPU flags: amd-ssbd amdb-no-ssb It is recommended to add the above two flags to the whitelist of Nova's `cpu_model_extra_flags` config attribute -- for stable branches (Queens, Pike and Ocata). For Rocky and above release, no such white-listing is required, since we allow free-form CPU flags[3]. * * * Additional notes (from the QEMU mailing list thread[4]) related to performance and live migration: - tl;dr: On an AMD Compute node, a guest should be presented with 'amd-ssbd', if available, in preference to 'virt-ssbd'. Details: Tom Lendacky from AMD writes[4] -- "The idea behind 'virt-ssbd' was to provide an architectural method for a guest to do SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use SPEC_CTRL which is intended to not be intercepted and will be fast. The use of 'virt-ssbd' will always be intercepted and therefore will not be as fast. So a guest should be presented with 'amd-ssbd', if available, in preference to 'virt-ssbd'." - It safe to use 'amd-ssbd' (it is an architectural method for a guest to do SSBD) in a guest which can be live migrated between different generations/families of AMD CPU. [1] libvirt patch: https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html [2] QEMU patch: https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg00222.html [3] http://git.openstack.org/cgit/openstack/nova/commit/?id=cc27a20 -- libvirt: Lift the restriction of choices for `cpu_model_extra_flags` [4] https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg02301.html To manage notifications about this bug go to: https://bugs.launchpad.net/nova/+bug/1777460/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp