From 703abe06db1ecfadb7e5a5f877f86d41f367300d Mon Sep 17 00:00:00 2001 Message-Id: <703abe06db1ecfadb7e5a5f877f86d41f367300d@dist-git> From: Pavel Hrdina Date: Wed, 15 May 2019 10:37:54 +0200 Subject: [PATCH] DomainCpu: fix detection of CPU security features VM configured with mode="host-model" will have the CPU definition expanded once the VM is started. Libvirt will try to use the closest CPU model with some features enabled/disabled. The issue is that there are some models that include spec-ctrl or ibpb features and they will not appear in the explicit list of features and virt-manager will not correctly detect if all security features are enabled or not. As a workaround we can check the suffix of CPU model to figure out which security features are enabled by the model itself. Signed-off-by: Pavel Hrdina (cherry picked from commit 291f2ef21486cb54aadd40f07052aedfebef3792) Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1716402 Signed-off-by: Pavel Hrdina --- virtinst/domain/cpu.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py index c6a411bb..1d468468 100644 --- a/virtinst/domain/cpu.py +++ b/virtinst/domain/cpu.py @@ -135,15 +135,13 @@ class DomainCpu(XMLBuilder): self.secure = False return - for feature in features: - exists = False - for f in self.features: - if f.name == feature and f.policy == "require": - exists = True - break - if not exists: - self.secure = False - return + guestFeatures = [f.name for f in self.features if f.policy == "require"] + if self.model.endswith("IBRS"): + guestFeatures.append("spec-ctrl") + if self.model.endswith("IBPB"): + guestFeatures.append("ibpb") + + self.secure = set(features) <= set(guestFeatures) def _remove_security_features(self, guest): domcaps = guest.lookup_domcaps() -- 2.21.0