57 lines
2.1 KiB
Diff
57 lines
2.1 KiB
Diff
|
From 703abe06db1ecfadb7e5a5f877f86d41f367300d Mon Sep 17 00:00:00 2001
|
||
|
Message-Id: <703abe06db1ecfadb7e5a5f877f86d41f367300d@dist-git>
|
||
|
From: Pavel Hrdina <phrdina@redhat.com>
|
||
|
Date: Wed, 15 May 2019 10:37:54 +0200
|
||
|
Subject: [PATCH] DomainCpu: fix detection of CPU security features
|
||
|
|
||
|
VM configured with mode="host-model" will have the CPU definition
|
||
|
expanded once the VM is started. Libvirt will try to use the closest
|
||
|
CPU model with some features enabled/disabled.
|
||
|
|
||
|
The issue is that there are some models that include spec-ctrl or ibpb
|
||
|
features and they will not appear in the explicit list of features and
|
||
|
virt-manager will not correctly detect if all security features are
|
||
|
enabled or not. As a workaround we can check the suffix of CPU model to
|
||
|
figure out which security features are enabled by the model itself.
|
||
|
|
||
|
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||
|
(cherry picked from commit 291f2ef21486cb54aadd40f07052aedfebef3792)
|
||
|
|
||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402
|
||
|
|
||
|
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
||
|
---
|
||
|
virtinst/domain/cpu.py | 16 +++++++---------
|
||
|
1 file changed, 7 insertions(+), 9 deletions(-)
|
||
|
|
||
|
diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py
|
||
|
index c6a411bb..1d468468 100644
|
||
|
--- a/virtinst/domain/cpu.py
|
||
|
+++ b/virtinst/domain/cpu.py
|
||
|
@@ -135,15 +135,13 @@ class DomainCpu(XMLBuilder):
|
||
|
self.secure = False
|
||
|
return
|
||
|
|
||
|
- for feature in features:
|
||
|
- exists = False
|
||
|
- for f in self.features:
|
||
|
- if f.name == feature and f.policy == "require":
|
||
|
- exists = True
|
||
|
- break
|
||
|
- if not exists:
|
||
|
- self.secure = False
|
||
|
- return
|
||
|
+ guestFeatures = [f.name for f in self.features if f.policy == "require"]
|
||
|
+ if self.model.endswith("IBRS"):
|
||
|
+ guestFeatures.append("spec-ctrl")
|
||
|
+ if self.model.endswith("IBPB"):
|
||
|
+ guestFeatures.append("ibpb")
|
||
|
+
|
||
|
+ self.secure = set(features) <= set(guestFeatures)
|
||
|
|
||
|
def _remove_security_features(self, guest):
|
||
|
domcaps = guest.lookup_domcaps()
|
||
|
--
|
||
|
2.21.0
|
||
|
|