[Openstack-security] [Bug 1777460] Re: Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd-no-ssb')
Author: Dan Smith <dansmith at redhat.com>
Date: Mon Jun 18 14:13:29 2018 -0700
[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags
Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.
(cherry picked from commit f8aca778f704983bc7ebb0a75d42914fee2dac06)
(cherry picked from commit 682ee60803c0e6a468e701282a18cee1c118c9df)
** Changed in: nova/ocata
Status: In Progress => Fix Committed
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd-
Status in OpenStack Compute (nova):
Status in OpenStack Compute (nova) ocata series:
Status in OpenStack Compute (nova) pike series:
Status in OpenStack Compute (nova) queens series:
In addition to the existing 'virt-ssbd', future AMD CPUs will have
another (architectural) way to deal with SSBD (Speculative Store Bypass
Disable), via the CPU flag: 'amd-ssbd'.
Furthermore, future AMD CPUs also will expose a mechanism to tell the
guest that the "Speculative Store Bypass Disable" (SSBD) is not needed
and that the CPU is all good. This is via the CPU flag: 'amd-no-ssb'
In summary, two new flags are:
Â Â Â Â amd-ssbd
Â Â Â Â amd-no-ssb
It is recommended to add the above two flags to the whitelist of Nova's
`cpu_model_extra_flags` config attribute -- for stable branches (Queens,
Pike and Ocata).
For Rocky and above release, no such white-listing is required, since we
allow free-form CPU flags.
Â Â Â Â * * *
Additional notes (from the QEMU mailing list thread) related to
performance and live migration:
Â Â - tl;dr: On an AMD Compute node, a guest should be presented with
Â Â Â Â 'amd-ssbd', if available, in preference to 'virt-ssbd'.
Â Â Â Â Details: Tom Lendacky from AMD writes -- "The idea behind
Â Â Â Â 'virt-ssbd' was to provide an architectural method for a guest to do
Â Â Â Â SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use
Â Â Â Â SPEC_CTRL which is intended to not be intercepted and will be fast.
Â Â Â Â The use of 'virt-ssbd' will always be intercepted and therefore will
Â Â Â Â not be as fast. So a guest should be presented with 'amd-ssbd', if
Â Â Â Â available, in preference to 'virt-ssbd'."
Â Â - It is safe to use 'amd-ssbd' (it is an architectural method for
guest to do SSBD) in a guest which can be live migrated between
different generations/families of AMD CPU.
 libvirt patch:
Â Â Â Â https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
 QEMU patch:
Â Â Â Â https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg00222.html
 http://git.openstack.org/cgit/openstack/nova/commit/?id=cc27a20 --
Â Â Â Â libvirt: Lift the restriction of choices for `cpu_model_extra_flags`
To manage notifications about this bug go to: