Description of problem: Starting with OVirt v4.4.6 Nehalem secure profile started to require md_clear cpu flag. But AFAIK Intel not released nor planning to release updated microcode for any Nehalem products with MDS mitigations. The same for Westmere. That makes it impossible to use previously supported (prior to v4.4.6) secure profile with at least partial security on such platforms without manual modification of vdc_options after every engine reconfiguration.
We didn't change previous cluster levels in 4.4.6 but introduced a new one - 4.6 There are two variants per CPU type - secured and insecure The secured variants require the md_clear flag but the insecure ones don't Did you try to use "Intel Nehalem Family" or "Intel Westmere Family" (rather than "Secure Intel Nehalem Family" or "Secure Intel Westmere Family")?
I am looking in the git history of the CPU configuration and the configuration of Nehalem or Westmere has not changed since 4.4.5 in oVirt at all. The md_clear flag has been required since the introduction of the Secure CPU types. Is it possible that your system stopped reporting that flag as a result of a system upgrade instead of oVirt upgrade?
> We didn't change previous cluster levels in 4.4.6 but introduced a new one - 4.6 > There are two variants per CPU type - secured and insecure > The secured variants require the md_clear flag but the insecure ones don't Hm, maybe I'm wrong about that it was introduced in 4.4.6. That version was in my notes so I encountered that problem after update to this version. But maybe I skipped a couple of versions during upgrading. I don't remember anymore... Previously there was "Intel Nehalem IBRS SSBD Family" which I was using and there are no such equivalent anymore. > Did you try to use "Intel Nehalem Family" or "Intel Westmere Family" (rather than "Secure Intel Nehalem Family" or "Secure Intel Westmere Family")? Yes I can use "non-secure" version but in that case spec-ctrl=on,ssbd=on flags won't be sent to qemu-kvm and won't be available on guests, isn't it? I want to have full equivalent of "Intel Nehalem IBRS SSBD Family". And currently I could achieve that only by manually stripping md_clear flag from vdc_options table in database for "secure" family after every engine reconfiguration. > Is it possible that your system stopped reporting that flag as a result of a system upgrade instead of oVirt upgrade? No. MDS mitigations never worked on my Nehalem hardware. As I wrote previously AFAIK that flag is impossible on all Nehalem/Westmere platforms at all. Because it requires updated microcode with MDS mitigations but Intel never released it and not planning to: https://virtualcornerstone.com/2019/06/28/intel-mds-guidance-no-plans-to-support-nehalem-and-westmere-product-family/ https://www.intel.com/content/dam/www/public/us/en/documents/corporate-information/SA00233-microcode-update-guidance.pdf So in my understanding there is not much sense in having "secure" Nehalem/Westmere family which require md_clear flag as it is impossible on these platforms. So I propose to remove that requirement so we can have at least protections against spectre/meltdown.
yes, everyone was hoping that one day they might, but it is indeed safe to assume now that they will never fix it...
While we review what we can do about the configuration, you may consider using the insecure variant with the additional cpu flags set via VM's custom property extra_cpu_flags.This way you won't need to change the configuration in the database every time you run the engine setup.
We can change the configuration of the mentioned CPUs, however, we do not have hardware to test it. Would you be willing to test the new configuration on your setup?
Sure, I'll be happy to to test on Nehalem.
Konstantin, the fix has been included in the recent release, could you please try it and let us know if it works for you? Thanks.
Updated to ovirt 4.5.1. Works like a charm. Thank you.
(In reply to Konstantin Kuzov from comment #9) > Updated to ovirt 4.5.1. Works like a charm. Thank you. Thanks for the confirmation!