Bug 1731395 - [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerability mitigations
Summary: [RFE] Introduce a "Secure" variant of CPUs following the CPU-related vulnerab...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified vote
Target Milestone: ovirt-4.4.0
: ---
Assignee: Lucia Jelinkova
QA Contact: Tamir
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-19 10:20 UTC by Michal Skrivanek
Modified: 2020-08-05 06:09 UTC (History)
4 users (show)

Fixed In Version: rhv-4.4.0-29
Doc Type: Enhancement
Doc Text:
Previously, with every security update, a new CPU type was created in the vdc_options table under the key ServerCPUList in the database for all affected architectures. For example, the Intel Skylake Client Family included the following CPU types: - Intel Skylake Client Family + - Intel Skylake Client IBRS Family + - Intel Skylake Client IBRS SSBD Family + - Intel Skylake Client IBRS SSBD MDS Family + With this update, only two CPU Types are now supported for any CPU microarchitecture that has security updates, keeping the CPU list manageable. For example: - Intel Skylake Client Family - Secure Intel Skylake Client Family The default CPU type will not change. The Secure CPU type will contain the latest updates.
Clone Of:
Environment:
Last Closed: 2020-08-05 06:09:49 UTC
oVirt Team: Virt
michal.skrivanek: ovirt-4.4?
pm-rhel: planning_ack?
michal.skrivanek: devel_ack+
pm-rhel: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 101912 0 'None' MERGED engine: refactored VDS CPU flags check 2021-02-16 09:25:48 UTC
oVirt gerrit 101913 0 'None' MERGED core: Change CPU config to secure/insecure concept 2021-02-16 09:25:49 UTC
oVirt gerrit 101914 0 'None' MERGED engine: Add cpu_flags and cpu_verb into cluster 2021-02-16 09:25:49 UTC
oVirt gerrit 101915 0 'None' MERGED engine: make vds use cluster cpu_flags 2021-02-16 09:25:49 UTC
oVirt gerrit 102449 0 'None' MERGED webadmin: added warning to the host list table 2021-02-16 09:25:49 UTC
oVirt gerrit 102457 0 'None' MERGED webadmin: added warning to the host detail 2021-02-16 09:25:49 UTC
oVirt gerrit 102485 0 'None' MERGED webadmin: added warning to the cluster list table 2021-02-16 09:25:49 UTC
oVirt gerrit 102508 0 'None' MERGED webadmin: added warning to the vm list table 2021-02-16 09:25:50 UTC
oVirt gerrit 102542 0 'None' MERGED webadmin: added warning to the vm detail 2021-02-16 09:25:50 UTC
oVirt gerrit 102608 0 'None' MERGED webadmin: added info icon to the cluster detail 2021-02-16 09:25:50 UTC
oVirt gerrit 102625 0 'None' MERGED webadmin: changed cpu type on vm detail 2021-02-16 09:25:50 UTC
oVirt gerrit 102642 0 'None' MERGED engine: automatic update of cluster CPU flags 2021-02-16 09:25:50 UTC
oVirt gerrit 102650 0 'None' MERGED webadmin: added info icon to host detail 2021-02-16 09:25:51 UTC
oVirt gerrit 102713 0 'None' MERGED webadmin: add possibility to update tooltip text 2021-02-16 09:25:51 UTC
oVirt gerrit 102761 0 'None' MERGED webadmin: fix CPU list load on cluster popup 2021-02-16 09:25:51 UTC
oVirt gerrit 102956 0 'None' MERGED engine: cpu flags handling in update cluster 2021-02-16 09:25:51 UTC

Description Michal Skrivanek 2019-07-19 10:20:45 UTC
We started to add mitigations for Spectre, Meltdown, MDS and similar vulnerabilities, which usually require a fixed microcode and so they are identified as different CPUs. Until now we had separate types for them which made it hard to maintain and follow.
Let's introduce a "Secure" type as a rolling variant which will have the latest and greatest of mitigations.
This includes additional warnings when running VMs and Hosts were previously Secure but after an update they're no longer "secure enough".

Comment 8 Tamir 2020-07-09 21:35:15 UTC
Verified the RFE on RHV 4.4.1-11 with hosts RHEL 4.4 and RHEL 4.3.
The tests are attached in the Polarion link.

Comment 9 Sandro Bonazzola 2020-08-05 06:09:49 UTC
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.