This bug was initially created as a copy of Bug #1697627 I am copying this bug because: When using CPU mode=host-model, the bug reported at bug 1687578 must not be present and the vulnerability report on the guest should match the host. This means features in MSR_IA32_ARCH_CAPABILITIES need to be included in the CPU configuration and passed to the guest.
This is now implemented upstream in a several series ending with commit 2674d00ed484091faf2b6e6b1efe58ee9a72b96b Refs: v5.4.0-300-g2674d00ed4 Author: Jiri Denemark <jdenemar> AuthorDate: Wed Jun 19 22:22:09 2019 +0200 Commit: Jiri Denemark <jdenemar> CommitDate: Thu Jun 20 14:02:36 2019 +0200 qemu: Drop MSR features from host-model with old QEMU With QEMU versions which lack "unavailable-features" we use CPUID based detection of features which were enabled or disabled once QEMU starts. Thus using MSR features with host-model would result in all of them being marked as disabled in the active domain definition even though QEMU did not actually disable them. Let's make sure we add MSR features to host-model only when "unavailable-features" property is supported by QEMU. Signed-off-by: Jiri Denemark <jdenemar> Reviewed-by: Ján Tomko <jtomko>
Verified this bug on libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 Version: libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64 kernel-4.18.0-115.el8.x86_64 Physical env: # lscpu |grep msr Model name: Intel(R) Xeon(R) Silver 4116 CPU @ 2.10GHz Flags: fpu vme de pse tsc msr ... Steps: S1: check x86_features.xml; domcapabilities, hypervisor-cpu-baseline/compare + domcapabilities output # cat /usr/share/libvirt/cpu_map/x86_features.xml |grep "<feature name='arch-capabilities'>" -A20 <feature name='arch-capabilities'> <!-- arch_capabilities, arch-facilities --> <cpuid eax_in='0x07' ecx_in='0x00' edx='0x20000000'/> </feature> <feature name='ssbd'> <cpuid eax_in='0x07' ecx_in='0x00' edx='0x80000000'/> </feature> <!-- Processor Extended State Enumeration sub leaf 1 --> <feature name='xsaveopt'> <cpuid eax_in='0x0d' ecx_in='0x01' eax='0x00000001'/> </feature> <feature name='xsavec'> <cpuid eax_in='0x0d' ecx_in='0x01' eax='0x00000002'/> </feature> <feature name='xgetbv1'> <cpuid eax_in='0x0d' ecx_in='0x01' eax='0x00000004'/> </feature> <feature name='xsaves' migratable='no'> <cpuid eax_in='0x0d' ecx_in='0x01' eax='0x00000008'/> </feature> # virsh domcapabilities |grep arch-capabilities <feature policy='require' name='arch-capahttp://10.8.2.20/libvirt-CI-repos/RHEL/8.1/module-virt-8.1-8010020190507174159-cdc1202b/x86_64/bilities'/> # virsh domcapabilities > domcapabilities_5.5.0-1.xml # virsh hypervisor-cpu-compare domcapabilities_5.5.0-1.xml CPU described in domcapabilities_5.5.0-1.xml is identical to the CPU provided by hypervisor on the host # virsh hypervisor-cpu-baseline domcapabilities_5.5.0-1.xml <cpu mode='custom' match='exact'> <model fallback='forbid'>Cascadelake-Server</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='umip'/> <feature policy='require' name='pku'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='invtsc'/> <feature policy='disable' name='avx512vnni'/> </cpu> S2: Start VM with host-model # virsh domstate vm1 shut off # virsh dumpxml vm1 --inactive |grep "<cpu" -A2 <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> # virsh start vm1 Domain vm1 started # virsh dumpxml vm1 |grep "<cpu" -A15 <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Cascadelake-Server</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='umip'/> <feature policy='require' name='pku'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> <feature policy='disable' name='avx512vnni'/> <feature policy='disable' name='mpx'/> </cpu> # ps -ef |grep vm1 qemu 44105 1 99 05:28 ? -global driver=cfi.pflash01,property=secure,value=on # virsh console vm1 Connected to domain vm1 Escape character is ^] [root@localhost ~]# lscpu |grep arch_capa Flags: fpu vme de pse ...arch_capabilities S3: Test upgrading libvirt Since the lowest version of libvirt is libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64, can not downgrade any more. In https://bugzilla.redhat.com/show_bug.cgi?id=1697627#c8; also tested this kind of scenario, the result is as expected. S4: Test lower qemu-kvm version with libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 Since the lowest version of qemu-kvm is qemu-kvm-3.1.0-25.module+el8.1.0+3164+94495c71.x86_64; which will not drop arch-capabilities. In https://bugzilla.redhat.com/show_bug.cgi?id=1697627#c8; qemu-kvm-2.12.0-65.module+el8.1.0+2983+b2ae9c0a.x86_64 is tested, the result is as expected.
Hi jiri As the verifying steps above; https://bugzilla.redhat.com/show_bug.cgi?id=1722360#c3 I can see the following info in x86_features.xml; 339a340,342 > <feature name='arch-capabilities'> <!-- arch_capabilities, arch-facilities --> > <cpuid eax_in='0x07' ecx_in='0x00' edx='0x20000000'/> > </feature> 481a485,504 > <!-- IA32_ARCH_CAPABILITIES features --> > <feature name='rdctl-no'> > <msr index='0x10a' edx='0x00000000' eax='0x00000001'/> > </feature> > <feature name='ibrs-all'> > <msr index='0x10a' edx='0x00000000' eax='0x00000002'/> > </feature> > <feature name='rsba'> > <msr index='0x10a' edx='0x00000000' eax='0x00000004'/> > </feature> > <feature name='skip-l1dfl-vmentry'> > <msr index='0x10a' edx='0x00000000' eax='0x00000008'/> > </feature> > <feature name='ssb-no'> > <msr index='0x10a' edx='0x00000000' eax='0x00000010'/> > </feature> > <feature name='mds-no'> > <msr index='0x10a' edx='0x00000000' eax='0x00000020'/> But when starting VM, I can only see arch_capabilities cpu feature in dumpxml and cpu flag in guestOS. What about the other flags? And I have asked my colleague; he said maybe we need higher version of qemu-kvm? If so; how should we deal with Bug 1697627 - CPU mode=host-model needs to include MSR features (RHEL-8.1); since the qemu-kvm version is qemu-kvm-2.12.0-81.module+el8.1.0+3619+dfe1ae01.x86_64.
(In reply to jiyan from comment #4) > But when starting VM, I can only see arch_capabilities cpu feature in > dumpxml and cpu flag in guestOS. > What about the other flags? Did you check virsh capabilities to see whether your host even supports any of the MSR features? > If so; how should we deal with Bug 1697627 - CPU mode=host-model needs to > include MSR features (RHEL-8.1); since the qemu-kvm version is > qemu-kvm-2.12.0-81.module+el8.1.0+3619+dfe1ae01.x86_64. If there are any issues with verifying the RHEL-8.1 clone of this bz, they should be discussed there, i.e., in bug 1697627. This one is focused on RHEL-AV.
Hi Jiri The output of virsh capabilities is as follows: # virsh capabilities <capabilities> <host> <uuid>4c4c4544-0050-4810-8057-b5c04f315332</uuid> <cpu> <arch>x86_64</arch> <model>Skylake-Server-IBRS</model> <vendor>Intel</vendor> <microcode version='33554526'/> <counter name='tsc' frequency='2095077000' scaling='yes'/> <topology sockets='1' cores='12' threads='2'/> <feature name='ds'/> <feature name='acpi'/> <feature name='ss'/> <feature name='ht'/> <feature name='tm'/> <feature name='pbe'/> <feature name='dtes64'/> <feature name='monitor'/> <feature name='ds_cpl'/> <feature name='vmx'/> <feature name='smx'/> <feature name='est'/> <feature name='tm2'/> <feature name='xtpr'/> <feature name='pdcm'/> <feature name='dca'/> <feature name='osxsave'/> <feature name='tsc_adjust'/> <feature name='cmt'/> <feature name='clflushopt'/> <feature name='intel-pt'/> <feature name='pku'/> <feature name='ospke'/> <feature name='md-clear'/> <feature name='stibp'/> <feature name='ssbd'/> <feature name='xsaves'/> <feature name='mbm_total'/> <feature name='mbm_local'/> <feature name='invtsc'/> <pages unit='KiB' size='4'/> <pages unit='KiB' size='2048'/> <pages unit='KiB' size='1048576'/> </cpu> When starting a VM with host-model, the cpu features can be seen in comment 3 # virsh dumpxml vm1 |grep "<cpu" -A15 <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Cascadelake-Server</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='umip'/> <feature policy='require' name='pku'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> <feature policy='disable' name='avx512vnni'/> <feature policy='disable' name='mpx'/> </cpu> The MSR features can be seen in cpu_map.xml are as follows: # cat /usr/share/libvirt/cpu_map/x86_features.xml <feature name='arch-capabilities'> <!-- arch_capabilities, arch-facilities --> <cpuid eax_in='0x07' ecx_in='0x00' edx='0x20000000'/> </feature> .... <!-- IA32_ARCH_CAPABILITIES features --> <feature name='rdctl-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000001'/> </feature> <feature name='ibrs-all'> <msr index='0x10a' edx='0x00000000' eax='0x00000002'/> </feature> <feature name='rsba'> <msr index='0x10a' edx='0x00000000' eax='0x00000004'/> </feature> <feature name='skip-l1dfl-vmentry'> <msr index='0x10a' edx='0x00000000' eax='0x00000008'/> </feature> <feature name='ssb-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000010'/> </feature> <feature name='mds-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000020'/> </feature> </cpus> The features do not occur in the output of "virsh capabilities".
Most likely the host does not support IA32_ARCH_CAPABILITIES MSR, that is it does not support arch-capabilities feature (in the output of virsh capabilities; spelled as arch_capabilities in /proc/cpuinfo). While QEMU reports support for arch-capabilities (in virsh domcapabilities, which gets copied as host-model CPU in the domain XML), it cannot enable any of the MSR features either.
S1: Tested on "libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64" + "qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64" Version: libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64 kernel-4.18.0-119.el8.x86_64 Steps: # lscpu |grep arch_capabilities Flags: fpu ... arch_capabilities # virsh capabilities <capabilities> <host> <uuid>03fa4990-2a0b-4990-fa03-0b2a9049fa03</uuid> <cpu> <arch>x86_64</arch> <model>Skylake-Client-IBRS</model> ... <feature name='arch-capabilities'/> <feature name='ssbd'/> <feature name='xsaves'/> <feature name='pdpe1gb'/> <feature name='invtsc'/> <feature name='rdctl-no'/> <feature name='ibrs-all'/> <feature name='skip-l1dfl-vmentry'/> <feature name='mds-no'/> ... </cpu> # virsh domcapabilities <domainCapabilities> <path>/usr/libexec/qemu-kvm</path> ... <cpu> <mode name='host-passthrough' supported='yes'/> <mode name='host-model' supported='yes'> <model fallback='forbid'>Skylake-Client-IBRS</model> ... <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='pdpe1gb'/> <feature policy='require' name='invtsc'/> </mode> # virsh domstate vm1 shut off # virsh dumpxml vm1 --inactive |grep "<cpu" -A2 <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> # virsh start vm1 Domain vm1 started # virsh dumpxml vm1 |grep "<cpu" -A20 <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Skylake-Client-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='clflushopt'/> <feature policy='require' name='umip'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='pdpe1gb'/> </cpu> # virsh console vm1 Connected to domain vm1 Escape character is ^] Red Hat Enterprise Linux 8.1 Beta (Ootpa) Kernel 4.18.0-107.el8.x86_64 on an x86_64 localhost login: root Password: [root@localhost ~]# lscpu ... Flags: fpu ... arch_capabilities S2: Tested on "libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64" + "QEMU emulator version 4.0.91 (v4.1.0-rc1-50-g23da9e297b)" Version: libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64 kernel-4.18.0-119.el8.x86_64 QEMU version: # /usr/local/bin/qemu-system-x86_64 -version QEMU emulator version 4.0.91 (v4.1.0-rc1-50-g23da9e297b) Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers Steps: # lscpu |grep arch_capabilities Flags: fpu ... arch_capabilities # virsh capabilities <capabilities> <host> <uuid>03fa4990-2a0b-4990-fa03-0b2a9049fa03</uuid> <cpu> <arch>x86_64</arch> <model>Skylake-Client-IBRS</model> ... <feature name='arch-capabilities'/> <feature name='ssbd'/> <feature name='xsaves'/> <feature name='pdpe1gb'/> <feature name='invtsc'/> <feature name='rdctl-no'/> <feature name='ibrs-all'/> <feature name='skip-l1dfl-vmentry'/> <feature name='mds-no'/> ... </cpu> # virsh domcapabilities <domainCapabilities> <path>/usr/local/bin/qemu-system-x86_64</path> ... <cpu> <mode name='host-passthrough' supported='yes'/> <mode name='host-model' supported='yes'> <model fallback='forbid'>Skylake-Client-IBRS</model> <vendor>Intel</vendor> ... <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='pdpe1gb'/> <feature policy='require' name='invtsc'/> <feature policy='require' name='rdctl-no'/> <feature policy='require' name='ibrs-all'/> <feature policy='require' name='skip-l1dfl-vmentry'/> <feature policy='require' name='mds-no'/> </mode> # virsh domstate vm1 shut off # virsh dumpxml vm1 --inactive |grep "<cpu" -A2 <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> # virsh start vm1 Domain vm1 started # virsh dumpxml vm1 |grep "<cpu" -A20 <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Skylake-Client-IBRS</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='clflushopt'/> <feature policy='require' name='umip'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='ssbd'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='pdpe1gb'/> <feature policy='require' name='rdctl-no'/> <feature policy='require' name='ibrs-all'/> <feature policy='require' name='skip-l1dfl-vmentry'/> <feature policy='require' name='mds-no'/> <feature policy='disable' name='mpx'/> </cpu> # virsh domifaddr vm1 Name MAC address Protocol Address ------------------------------------------------------------------------------- vnet0 52:54:00:5c:9a:4c ipv4 192.168.122.219/24 # ssh root.122.219 root.122.219's password: Last login: Tue Jul 23 12:14:47 2019 # lscpu |grep Flags Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm rdseed adx smap clflushopt xsaveopt xsavec xgetbv1 xsaves arat umip md_clear arch_capabilities Hi Jiri yeah, the steps in comment 3; comment 4; comment 5; comment 6 were executed on physical host which actually does not support MSR related features. And I tested it again on proper host, there are 2 scenarios above. S1: Tested on "libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64" + "qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf.x86_64" S2: Tested on "libvirt-5.5.0-1.module+el8.1.0+3580+d7f6488d.x86_64" + "QEMU emulator version 4.0.91 (v4.1.0-rc1-50-g23da9e297b)" On both "qemu-kvm-2.12.0-81.module+el8.1.0+3619+dfe1ae01.x86_64" and "QEMU emulator version 4.0.91 (v4.1.0-rc1-50-g23da9e297b)"; MSR related features can be displayed through "virsh capabilities" But only on "QEMU emulator version 4.0.91 (v4.1.0-rc1-50-g23da9e297b)"; MSR related features can be showed through "virsh domcapabilities" and in the dumpxml of VM which started with host-model cpu conf.
Created attachment 1592749 [details] domcap_and_cap_info_on_qemu-kvm-4.0.0-5.module+el8.1.0+3622+5812d9bf
Created attachment 1592750 [details] domcap_and_cap_info_on_qemu-kvm-v4.1.0-rc1-50-g23da9e297b
The results with QEMU 4.0.91 are OK as QEMU will be rebased to 4.1, however you should wait until the rebased package is officially built and retest this bug with it.
*** Bug 1746429 has been marked as a duplicate of this bug. ***
Verified this bug on libvirt-5.6.0-3.module+el8.1.0+4110+a6d45c3d.x86_64 Version: libvirt-5.6.0-3.module+el8.1.0+4110+a6d45c3d.x86_64 qemu-kvm-4.1.0-5.module+el8.1.0+4076+b5e41ebc.x86_64 kernel-4.18.0-141.el8.x86_64 Steps: 1. Prepare a host with the following cpu flags # lscpu Flags: ...avx512_vnni ... arch_capabilities 2. Check /usr/share/libvirt/cpu_map/x86_features.xml file; it contains the following info as expected <!-- IA32_ARCH_CAPABILITIES features --> <feature name='rdctl-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000001'/> </feature> <feature name='ibrs-all'> <msr index='0x10a' edx='0x00000000' eax='0x00000002'/> </feature> <feature name='rsba'> <msr index='0x10a' edx='0x00000000' eax='0x00000004'/> </feature> <feature name='skip-l1dfl-vmentry'> <msr index='0x10a' edx='0x00000000' eax='0x00000008'/> </feature> <feature name='ssb-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000010'/> </feature> <feature name='mds-no'> <msr index='0x10a' edx='0x00000000' eax='0x00000020'/> </feature> </cpus> 3. Check "virsh capabilities" and "virsh domcapabilities"; they also contain the cpu related info as expected # virsh capabilities ... <model>Cascadelake-Server</model> ... <feature name='rdctl-no'/> <feature name='ibrs-all'/> <feature name='skip-l1dfl-vmentry'/> <feature name='mds-no'/> .. # virsh domcapabilities ... <mode name='host-model' supported='yes'> <model fallback='forbid'>Cascadelake-Server</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='umip'/> <feature policy='require' name='pku'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='invtsc'/> <feature policy='require' name='rdctl-no'/> <feature policy='require' name='ibrs-all'/> <feature policy='require' name='skip-l1dfl-vmentry'/> <feature policy='require' name='mds-no'/> </mode> ... 4. Start VM with host-model cpu conf # virsh domstate test shut off # virsh dumpxml test --inactive |grep "<cpu" -A2 <cpu mode='host-model' check='partial'> <model fallback='allow'/> </cpu> # virsh start test Domain test started # virsh dumpxml test|grep "<cpu" -A20 <cpu mode='custom' match='exact' check='full'> <model fallback='forbid'>Cascadelake-Server</model> <vendor>Intel</vendor> <feature policy='require' name='ss'/> <feature policy='require' name='vmx'/> <feature policy='require' name='hypervisor'/> <feature policy='require' name='tsc_adjust'/> <feature policy='require' name='umip'/> <feature policy='require' name='pku'/> <feature policy='require' name='md-clear'/> <feature policy='require' name='stibp'/> <feature policy='require' name='arch-capabilities'/> <feature policy='require' name='xsaves'/> <feature policy='require' name='rdctl-no'/> <feature policy='require' name='ibrs-all'/> <feature policy='require' name='skip-l1dfl-vmentry'/> <feature policy='require' name='mds-no'/> <feature policy='disable' name='mpx'/> </cpu> <clock offset='utc'> <timer name='rtc' tickpolicy='catchup'/> # ps -ef |grep test ... -cpu Cascadelake-Server,ss=on,vmx=on,hypervisor=on,tsc-adjust=on,umip=on,pku=on,md-clear=on,stibp=on,arch-capabilities=on,xsaves=on,rdctl-no=on,ibrs-all=on,skip-l1dfl-vmentry=on,mds-no=on # virsh console test Connected to domain test Escape character is ^] Red Hat Enterprise Linux 8.1 Beta (Ootpa) Kernel 4.18.0-141.el8.x86_64 on an x86_64 # lscpu Flags: ...arch_capabilities # virsh capabilities (after installing libvirt in guest OS; these cpu features can be seen) <feature name='rdctl-no'/> <feature name='ibrs-all'/> <feature name='skip-l1dfl-vmentry'/> <feature name='mds-no'/> All the test results are as expected; move this bug to be verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:3723