1731395 – [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerability mitigations

Bug 1731395 - [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerability mitigations

Summary: [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerab...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Virt
Sub Component:
Version:	4.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ovirt-4.4.0
Target Release:	---
Assignee:	Lucia Jelinkova
QA Contact:	Tamir
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-07-19 10:20 UTC by Michal Skrivanek
Modified:	2020-08-05 06:09 UTC (History)
CC List:	4 users (show)
Fixed In Version:	rhv-4.4.0-29
Doc Type:	Enhancement
Doc Text:	Previously, with every security update, a new CPU type was created in the vdc_options table under the key ServerCPUList in the database for all affected architectures. For example, the Intel Skylake Client Family included the following CPU types: - Intel Skylake Client Family + - Intel Skylake Client IBRS Family + - Intel Skylake Client IBRS SSBD Family + - Intel Skylake Client IBRS SSBD MDS Family + With this update, only two CPU Types are now supported for any CPU microarchitecture that has security updates, keeping the CPU list manageable. For example: - Intel Skylake Client Family - Secure Intel Skylake Client Family The default CPU type will not change. The Secure CPU type will contain the latest updates.
Clone Of:
Environment:
Last Closed:	2020-08-05 06:09:49 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	michal.skrivanek: ovirt-4.4? pm-rhel: planning_ack? michal.skrivanek: devel_ack+ pm-rhel: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	101912	'None'	MERGED	engine: refactored VDS CPU flags check	2021-02-16 09:25:48 UTC
oVirt gerrit	101913	'None'	MERGED	core: Change CPU config to secure/insecure concept	2021-02-16 09:25:49 UTC
oVirt gerrit	101914	'None'	MERGED	engine: Add cpu_flags and cpu_verb into cluster	2021-02-16 09:25:49 UTC
oVirt gerrit	101915	'None'	MERGED	engine: make vds use cluster cpu_flags	2021-02-16 09:25:49 UTC
oVirt gerrit	102449	'None'	MERGED	webadmin: added warning to the host list table	2021-02-16 09:25:49 UTC
oVirt gerrit	102457	'None'	MERGED	webadmin: added warning to the host detail	2021-02-16 09:25:49 UTC
oVirt gerrit	102485	'None'	MERGED	webadmin: added warning to the cluster list table	2021-02-16 09:25:49 UTC
oVirt gerrit	102508	'None'	MERGED	webadmin: added warning to the vm list table	2021-02-16 09:25:50 UTC
oVirt gerrit	102542	'None'	MERGED	webadmin: added warning to the vm detail	2021-02-16 09:25:50 UTC
oVirt gerrit	102608	'None'	MERGED	webadmin: added info icon to the cluster detail	2021-02-16 09:25:50 UTC
oVirt gerrit	102625	'None'	MERGED	webadmin: changed cpu type on vm detail	2021-02-16 09:25:50 UTC
oVirt gerrit	102642	'None'	MERGED	engine: automatic update of cluster CPU flags	2021-02-16 09:25:50 UTC
oVirt gerrit	102650	'None'	MERGED	webadmin: added info icon to host detail	2021-02-16 09:25:51 UTC
oVirt gerrit	102713	'None'	MERGED	webadmin: add possibility to update tooltip text	2021-02-16 09:25:51 UTC
oVirt gerrit	102761	'None'	MERGED	webadmin: fix CPU list load on cluster popup	2021-02-16 09:25:51 UTC
oVirt gerrit	102956	'None'	MERGED	engine: cpu flags handling in update cluster	2021-02-16 09:25:51 UTC

Description Michal Skrivanek 2019-07-19 10:20:45 UTC

We started to add mitigations for Spectre, Meltdown, MDS and similar vulnerabilities, which usually require a fixed microcode and so they are identified as different CPUs. Until now we had separate types for them which made it hard to maintain and follow.
Let's introduce a "Secure" type as a rolling variant which will have the latest and greatest of mitigations.
This includes additional warnings when running VMs and Hosts were previously Secure but after an update they're no longer "secure enough".

Comment 8 Tamir 2020-07-09 21:35:15 UTC

Verified the RFE on RHV 4.4.1-11 with hosts RHEL 4.4 and RHEL 4.3.
The tests are attached in the Polarion link.

Comment 9 Sandro Bonazzola 2020-08-05 06:09:49 UTC

This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.