Bug 1731395

Summary: [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerability mitigations
Product: [oVirt] ovirt-engine Reporter: Michal Skrivanek <michal.skrivanek>
Component: BLL.VirtAssignee: Lucia Jelinkova <ljelinko>
Status: CLOSED CURRENTRELEASE QA Contact: Tamir <tamir>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.4.0CC: bugs, ljelinko, rdlugyhe, sgoodman
Target Milestone: ovirt-4.4.0Keywords: FutureFeature, Rebase
Target Release: ---Flags: michal.skrivanek: ovirt-4.4?
pm-rhel: planning_ack?
michal.skrivanek: devel_ack+
pm-rhel: testing_ack+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rhv-4.4.0-29 Doc Type: Enhancement
Doc Text:
Previously, with every security update, a new CPU type was created in the vdc_options table under the key ServerCPUList in the database for all affected architectures. For example, the Intel Skylake Client Family included the following CPU types: - Intel Skylake Client Family + - Intel Skylake Client IBRS Family + - Intel Skylake Client IBRS SSBD Family + - Intel Skylake Client IBRS SSBD MDS Family + With this update, only two CPU Types are now supported for any CPU microarchitecture that has security updates, keeping the CPU list manageable. For example: - Intel Skylake Client Family - Secure Intel Skylake Client Family The default CPU type will not change. The Secure CPU type will contain the latest updates.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-05 06:09:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Virt RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Skrivanek 2019-07-19 10:20:45 UTC 
We started to add mitigations for Spectre, Meltdown, MDS and similar vulnerabilities, which usually require a fixed microcode and so they are identified as different CPUs. Until now we had separate types for them which made it hard to maintain and follow.
Let's introduce a "Secure" type as a rolling variant which will have the latest and greatest of mitigations.
This includes additional warnings when running VMs and Hosts were previously Secure but after an update they're no longer "secure enough".
Comment 8 Tamir 2020-07-09 21:35:15 UTC 
Verified the RFE on RHV 4.4.1-11 with hosts RHEL 4.4 and RHEL 4.3.
The tests are attached in the Polarion link.
Comment 9 Sandro Bonazzola 2020-08-05 06:09:49 UTC 
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.