In addition to the existing 'virt-ssbd', future AMD CPUs will have _two_
ways to deal with SSBD (Speculative Store Bypass Disable). To that AMD
will be introducing two more[1][2] CPU flags:
amd-ssbd
amdb-no-ssb
It is recommended to add the above two flags to the whitelist of Nova's
`cpu_model_extra_flags` config attribute -- for stable branches (Queens,
Pike and Ocata).
For Rocky and above release, no such white-listing is required, since we
allow free-form CPU flags[3].
* * *
Additional notes (from the QEMU mailing list thread[4]) related to
performance and live migration:
- tl;dr: On an AMD Compute node, a guest should be presented with
'amd-ssbd', if available, in preference to 'virt-ssbd'.
Details: Tom Lendacky from AMD writes[4] -- "The idea behind
'virt-ssbd' was to provide an architectural method for a guest to do
SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use
SPEC_CTRL which is intended to not be intercepted and will be fast.
The use of 'virt-ssbd' will always be intercepted and therefore will
not be as fast. So a guest should be presented with 'amd-ssbd', if
available, in preference to 'virt-ssbd'."
- It safe to use 'amd-ssbd' (it is an architectural method for a guest
to do SSBD) in a guest which can be live migrated between different
generations/families of AMD CPU.
In addition to the existing 'virt-ssbd', future AMD CPUs will have _two_
ways to deal with SSBD (Speculative Store Bypass Disable). To that AMD
will be introducing two more[1][2] CPU flags:
amd-ssbd
amdb-no-ssb
It is recommended to add the above two flags to the whitelist of Nova's extra_flags` config attribute -- for stable branches (Queens,
`cpu_model_
Pike and Ocata).
For Rocky and above release, no such white-listing is required, since we
allow free-form CPU flags[3].
* * *
Additional notes (from the QEMU mailing list thread[4]) related to
performance and live migration:
- tl;dr: On an AMD Compute node, a guest should be presented with
'amd-ssbd', if available, in preference to 'virt-ssbd'.
Details: Tom Lendacky from AMD writes[4] -- "The idea behind
'virt-ssbd' was to provide an architectural method for a guest to do
SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use
SPEC_CTRL which is intended to not be intercepted and will be fast.
The use of 'virt-ssbd' will always be intercepted and therefore will
not be as fast. So a guest should be presented with 'amd-ssbd', if
available, in preference to 'virt-ssbd'."
- It safe to use 'amd-ssbd' (it is an architectural method for a guest /families of AMD CPU.
to do SSBD) in a guest which can be live migrated between different
generations
[1] libvirt patch: /www.redhat. com/archives/ libvir- list/2018- June/msg01111. html /lists. nongnu. org/archive/ html/qemu- devel/2018- 06/msg00222. html git.openstack. org/cgit/ openstack/ nova/commit/ ?id=cc27a20 -- extra_flags` /lists. nongnu. org/archive/ html/qemu- devel/2018- 06/msg02301. html
https:/
[2] QEMU patch:
https:/
[3] http://
libvirt: Lift the restriction of choices for `cpu_model_
[4] https:/