|
@@ -71,6 +71,16 @@ mixture of host CPU models between machines, if live migration
|
|
|
compatibility is required, use the newest CPU model that is compatible
|
|
compatibility is required, use the newest CPU model that is compatible
|
|
|
across all desired hosts.
|
|
across all desired hosts.
|
|
|
|
|
|
|
|
|
|
+``ClearwaterForest``
|
|
|
|
|
+ Intel Xeon Processor (ClearwaterForest, 2025)
|
|
|
|
|
+
|
|
|
|
|
+``SierraForest``, ``SierraForest-v2``
|
|
|
|
|
+ Intel Xeon Processor (SierraForest, 2024), SierraForest-v2 mitigates
|
|
|
|
|
+ the GDS and RFDS vulnerabilities with stepping 3.
|
|
|
|
|
+
|
|
|
|
|
+``GraniteRapids``, ``GraniteRapids-v2``
|
|
|
|
|
+ Intel Xeon Processor (GraniteRapids, 2024)
|
|
|
|
|
+
|
|
|
``Cascadelake-Server``, ``Cascadelake-Server-noTSX``
|
|
``Cascadelake-Server``, ``Cascadelake-Server-noTSX``
|
|
|
Intel Xeon Processor (Cascade Lake, 2019), with "stepping" levels 6
|
|
Intel Xeon Processor (Cascade Lake, 2019), with "stepping" levels 6
|
|
|
or 7 only. (The Cascade Lake Xeon processor with *stepping 5 is
|
|
or 7 only. (The Cascade Lake Xeon processor with *stepping 5 is
|
|
@@ -181,7 +191,7 @@ features are included if using "Host passthrough" or "Host model".
|
|
|
CVE-2018-12127, [MSBDS] CVE-2018-12126).
|
|
CVE-2018-12127, [MSBDS] CVE-2018-12126).
|
|
|
|
|
|
|
|
This is an MSR (Model-Specific Register) feature rather than a CPUID feature,
|
|
This is an MSR (Model-Specific Register) feature rather than a CPUID feature,
|
|
|
- so it will not appear in the Linux ``/proc/cpuinfo`` in the host or
|
|
|
|
|
|
|
+ therefore it will not appear in the Linux ``/proc/cpuinfo`` in the host or
|
|
|
guest. Instead, the host kernel uses it to populate the MDS
|
|
guest. Instead, the host kernel uses it to populate the MDS
|
|
|
vulnerability file in ``sysfs``.
|
|
vulnerability file in ``sysfs``.
|
|
|
|
|
|
|
@@ -189,10 +199,10 @@ features are included if using "Host passthrough" or "Host model".
|
|
|
affected} in the ``/sys/devices/system/cpu/vulnerabilities/mds`` file.
|
|
affected} in the ``/sys/devices/system/cpu/vulnerabilities/mds`` file.
|
|
|
|
|
|
|
|
``taa-no``
|
|
``taa-no``
|
|
|
- Recommended to inform that the guest that the host is ``not``
|
|
|
|
|
|
|
+ Recommended to inform the guest that the host is ``not``
|
|
|
vulnerable to CVE-2019-11135, TSX Asynchronous Abort (TAA).
|
|
vulnerable to CVE-2019-11135, TSX Asynchronous Abort (TAA).
|
|
|
|
|
|
|
|
- This too is an MSR feature, so it does not show up in the Linux
|
|
|
|
|
|
|
+ This is also an MSR feature, therefore it does not show up in the Linux
|
|
|
``/proc/cpuinfo`` in the host or guest.
|
|
``/proc/cpuinfo`` in the host or guest.
|
|
|
|
|
|
|
|
It should only be enabled for VMs if the host reports ``Not affected``
|
|
It should only be enabled for VMs if the host reports ``Not affected``
|
|
@@ -214,7 +224,7 @@ features are included if using "Host passthrough" or "Host model".
|
|
|
By disabling TSX, KVM-based guests can avoid paying the price of
|
|
By disabling TSX, KVM-based guests can avoid paying the price of
|
|
|
mitigating TSX-based attacks.
|
|
mitigating TSX-based attacks.
|
|
|
|
|
|
|
|
- Note that ``tsx-ctrl`` too is an MSR feature, so it does not show
|
|
|
|
|
|
|
+ Note that ``tsx-ctrl`` is also an MSR feature, therefore it does not show
|
|
|
up in the Linux ``/proc/cpuinfo`` in the host or guest.
|
|
up in the Linux ``/proc/cpuinfo`` in the host or guest.
|
|
|
|
|
|
|
|
To validate that Intel TSX is indeed disabled for the guest, there are
|
|
To validate that Intel TSX is indeed disabled for the guest, there are
|
|
@@ -223,6 +233,38 @@ features are included if using "Host passthrough" or "Host model".
|
|
|
``/sys/devices/system/cpu/vulnerabilities/tsx_async_abort`` file in
|
|
``/sys/devices/system/cpu/vulnerabilities/tsx_async_abort`` file in
|
|
|
the guest should report ``Mitigation: TSX disabled``.
|
|
the guest should report ``Mitigation: TSX disabled``.
|
|
|
|
|
|
|
|
|
|
+``bhi-no``
|
|
|
|
|
+ Recommended to inform the guest that the host is ``not``
|
|
|
|
|
+ vulnerable to CVE-2022-0001, Branch History Injection (BHI).
|
|
|
|
|
+
|
|
|
|
|
+ This is also an MSR feature, therefore it does not show up in the Linux
|
|
|
|
|
+ ``/proc/cpuinfo`` in the host or guest.
|
|
|
|
|
+
|
|
|
|
|
+ It should only be enabled for VMs if the host reports
|
|
|
|
|
+ ``BHI: Not affected`` in the
|
|
|
|
|
+ ``/sys/devices/system/cpu/vulnerabilities/spectre_v2`` file.
|
|
|
|
|
+
|
|
|
|
|
+``gds-no``
|
|
|
|
|
+ Recommended to inform the guest that the host is ``not``
|
|
|
|
|
+ vulnerable to CVE-2022-40982, Gather Data Sampling (GDS).
|
|
|
|
|
+
|
|
|
|
|
+ This is also an MSR feature, therefore it does not show up in the Linux
|
|
|
|
|
+ ``/proc/cpuinfo`` in the host or guest.
|
|
|
|
|
+
|
|
|
|
|
+ It should only be enabled for VMs if the host reports ``Not affected``
|
|
|
|
|
+ in the ``/sys/devices/system/cpu/vulnerabilities/gather_data_sampling``
|
|
|
|
|
+ file.
|
|
|
|
|
+
|
|
|
|
|
+``rfds-no``
|
|
|
|
|
+ Recommended to inform the guest that the host is ``not``
|
|
|
|
|
+ vulnerable to CVE-2023-28746, Register File Data Sampling (RFDS).
|
|
|
|
|
+
|
|
|
|
|
+ This is also an MSR feature, therefore it does not show up in the Linux
|
|
|
|
|
+ ``/proc/cpuinfo`` in the host or guest.
|
|
|
|
|
+
|
|
|
|
|
+ It should only be enabled for VMs if the host reports ``Not affected``
|
|
|
|
|
+ in the ``/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling``
|
|
|
|
|
+ file.
|
|
|
|
|
|
|
|
Preferred CPU models for AMD x86 hosts
|
|
Preferred CPU models for AMD x86 hosts
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
Tao Su