[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] CPU model versioning separate from machine type version
|
From: |
Eduardo Habkost |
|
Subject: |
Re: [Qemu-devel] CPU model versioning separate from machine type versioning ? |
|
Date: |
Fri, 29 Jun 2018 14:36:08 -0300 |
|
User-agent: |
Mutt/1.9.2 (2017-12-15) |
On Fri, Jun 29, 2018 at 11:19:17AM +0100, Daniel P. Berrangé wrote:
> On Fri, Jun 29, 2018 at 09:53:53AM +0100, Dr. David Alan Gilbert wrote:
[...]
> > We're going to have to say something like:
> > 'For the new XYZ vulnerability make sure you're using
> > Haswell-3.2 or later, SkyLake-2.6 or later, Westmere-4.8 or later
> > .....'
> >
> > which all gets a bit confusing.
>
> The kernel has a /sys/devices/system/cpu/vulnerabilities dir
> that lists status of various flaws.
>
> I have been thinking about whether libvirt should create a
> 'virt-guest-validate' command that looks at guest XML and
> reports whether any of the config settings are vulnerable
> or otherwise diverging from best practice in some way.
>
> QEMU itself would perhaps have a 'query-vulnerabilities'
> monitor command to report whether the current config is
> satisfactory or not.
Makes sense to me. I wanted to make QEMU emit warnings on
obviously insecure configurations. Adding a
query-vulnerabilities command would be the QMP counterpart of
that.
--
Eduardo