Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1

[David Hildenbrand]

On 14.02.2018 10:18, Christian Borntraeger wrote:
> 
> 
> On 02/14/2018 10:11 AM, Cornelia Huck wrote:
>> On Tue, 13 Feb 2018 18:11:05 -0600
>> Michael Roth <address@hidden> wrote:
>>
>>> This blog entry is intended as a follow-up to the original entry in
>>> January regarding Spectre/Meltdown and the proposed changes to address
>>> them in the upcoming 2.11.1 release.
>>>
>>> This entry is meant to accompany the 2.11.1 release (planned for
>>> 2018-02-14) and document how to make use of the new options for
>>> various architectures.
>>>
>>> Cc: Eduardo Habkost <address@hidden>
>>> Cc: Paolo Bonzini <address@hidden>
>>> Cc: Peter Maydell <address@hidden>
>>> Cc: Suraj Jitindar Singh <address@hidden>
>>> Cc: David Gibson <address@hidden>
>>> Cc: Christian Borntraeger <address@hidden>
>>> Cc: Cornelia Huck <address@hidden>
>>> Cc: Thomas Huth <address@hidden>
>>> Signed-off-by: Michael Roth <address@hidden>
>>> ---
>>>
>>> The pseries/s390 bits have gotten some initial review (thanks 
>>> Suraj/Christian),
>>> but it can definitely use some additional review on the x86 side of things.
>>>
>>> Also, Peter if think anything extra should to be mentioned on the ARM side 
>>> just
>>> let me know what to add.
>>>
>>>  .../2018-02-14-qemu-2-11-1-and-spectre-update.md   | 180 
>>> +++++++++++++++++++++
>>>  1 file changed, 180 insertions(+)
>>>  create mode 100644 _posts/2018-02-14-qemu-2-11-1-and-spectre-update.md
>>
>> [some comments/questions regarding s390 cpu models, adding DavidH on cc:]
>>
>>> +## enabling mitigations for s390 KVM guests
>>> +
>>> +For s390 guests there are 2 CPU options relating to Spectre/Meltdown:
>>
>> s/options/feature bits/ ?
>>
>>> +
>>> +* bpb: Branch prediction blocking
>>> +* ppa15: PPA15 is installed
>>> +
>>> +**bpb** requires a host kernel patched with:
>>> +
>>> +    commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60
>>> +    KVM: s390: wire up bpb feature
>>> +
>>> +and both **bpb** and **ppa15** require a firmware with the appropriate 
>>> support
>>> +level as well as guest kernel patches to enable the functionality within
>>> +guests. Please check with your distro/vendor to confirm.
>>> +
>>> +Both **bpb** and **ppa15** are enabled by default with newer/patched host
>>> +kernels, and can also be set manually. For example:
>>> +
>>> +    qemu-system-s390x -M s390-ccw-virtio-2.11 ... \
>>> +      -cpu zEC12,bpb=on,ppa15=on 
>>
>> Do we also want to add that bpb/ppa15 are on if you use the _full_
>> model (as opposed to the _base_ model)? Or is this going into too much
>> detail about the cpu model?
> 
> full model is just an internal implementation.
> Either use
> - host passthrough
> - host model
> - add bpb and ppa15 manually to the choosen model (e.g. z13,bpb=on,ppa15=on)

Ack. They won't be enabled by existing base (e.g. z13-base) or default
(e.g. z13) CPU models. The full models are internal only.

So "-cpu host" or "-cpu [MODEL],bpb=on,ppa15=on" are the only two
options on the QEMU command line level.

-- 

Thanks,

David / dhildenb