OpenStack Compute (nova)

Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd-no-ssb')

Series ocata
Bug #1777460

Bug #1777460 reported by Kashyap Chamarthy on 2018-06-18

This bug affects 1 person

	Status	Importance	Assigned to
OpenStack Compute (nova)	Won't Fix	Undecided	Unassigned
Ocata	Fix Committed	High	Elod Illes
Pike	Fix Committed	High	Dan Smith
Queens	Fix Committed	High	Dan Smith

Bug Description

In addition to the existing 'virt-ssbd', future AMD CPUs will have
another (architectural) way to deal with SSBD (Speculative Store Bypass
Disable), via the CPU flag: 'amd-ssbd'.

Furthermore, future AMD CPUs also will expose a mechanism to tell the
guest that the "Speculative Store Bypass Disable" (SSBD) is not needed
and that the CPU is all good. This is via the CPU flag: 'amd-no-ssb'

In summary, two new flags are[1][2]:

amd-ssbd
amd-no-ssb

It is recommended to add the above two flags to the whitelist of Nova's
`cpu_model_extra_flags` config attribute -- for stable branches (Queens,
Pike and Ocata).

For Rocky and above release, no such white-listing is required, since we
allow free-form CPU flags[3].

* * *

Additional notes (from the QEMU mailing list thread[4]) related to
performance and live migration:

- tl;dr: On an AMD Compute node, a guest should be presented with
'amd-ssbd', if available, in preference to 'virt-ssbd'.

    Details: Tom Lendacky from AMD writes[4] -- "The idea behind
    'virt-ssbd' was to provide an architectural method for a guest to do
    SSBD when 'amd-ssbd' isn't present. The 'amd-ssbd' feature will use
    SPEC_CTRL which is intended to not be intercepted and will be fast.
    The use of 'virt-ssbd' will always be intercepted and therefore will
    not be as fast. So a guest should be presented with 'amd-ssbd', if
    available, in preference to 'virt-ssbd'."

  - It is safe to use 'amd-ssbd' (it is an architectural method for
    guest to do SSBD) in a guest which can be live migrated between
    different generations/families of AMD CPU.

[1] libvirt patch:
    https://www.redhat.com/archives/libvir-list/2018-June/msg01111.html
[2] QEMU patch:
    https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg00222.html
[3] http://git.openstack.org/cgit/openstack/nova/commit/?id=cc27a20 --
    libvirt: Lift the restriction of choices for `cpu_model_extra_flags`
[4] https://lists.nongnu.org/archive/html/qemu-devel/2018-06/msg02301.html

See original description

Tags:

Kashyap Chamarthy (kashyapc) on 2018-06-18

tags:	added: queens-backport-potential
tags:	added: security

Kashyap Chamarthy (kashyapc) on 2018-06-18

tags:

added: pike-backport-potential

Kashyap Chamarthy (kashyapc) on 2018-06-18

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-18: Fix proposed to nova (stable/queens)

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/576270

Revision history for this message

Matt Riedemann (mriedem) wrote on 2018-06-18:

Typo in the bug description, it's not "amdb-no-ssb" it's amd-no-ssb.

Changed in nova:
status:	New → Won't Fix

Kashyap Chamarthy (kashyapc) on 2018-06-19

description:	updated
summary:	- Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd-no- + Whitelist two more SSBD-related CPU flags for AMD ('amd-ssb', 'amd-no- ssb')

Kashyap Chamarthy (kashyapc) on 2018-06-19

summary:	- Whitelist two more SSBD-related CPU flags for AMD ('amd-ssb', 'amd-no- + Whitelist two more SSBD-related CPU flags for AMD ('amd-ssbd', 'amd-no- ssb')
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-22: Fix merged to nova (stable/queens)

Reviewed: https://review.openstack.org/576270
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=f8aca778f704983bc7ebb0a75d42914fee2dac06
Submitter: Zuul
Branch: stable/queens

commit f8aca778f704983bc7ebb0a75d42914fee2dac06
Author: Dan Smith <email address hidden>
Date: Mon Jun 18 14:13:29 2018 -0700

[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags

Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.

Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
Closes-Bug: #1777460

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-22: Fix proposed to nova (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/577548

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-06-25: Fix merged to nova (stable/pike)

Reviewed: https://review.openstack.org/577548
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=682ee60803c0e6a468e701282a18cee1c118c9df
Submitter: Zuul
Branch: stable/pike

commit 682ee60803c0e6a468e701282a18cee1c118c9df
Author: Dan Smith <email address hidden>
Date: Mon Jun 18 14:13:29 2018 -0700

[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags

Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.

    Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
    Closes-Bug: #1777460
    (cherry picked from commit f8aca778f704983bc7ebb0a75d42914fee2dac06)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Fix included in openstack/nova 16.1.5

This issue was fixed in the openstack/nova 16.1.5 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-09-24: Fix included in openstack/nova 17.0.6

This issue was fixed in the openstack/nova 17.0.6 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-02: Fix proposed to nova (stable/ocata)

Fix proposed to branch: stable/ocata
Review: https://review.openstack.org/607296

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-03: Fix merged to nova (stable/ocata)

Reviewed: https://review.openstack.org/607296
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=c85f5e22e1cb8afd756341517bd7284ffc8e505b
Submitter: Zuul
Branch: stable/ocata

commit c85f5e22e1cb8afd756341517bd7284ffc8e505b
Author: Dan Smith <email address hidden>
Date: Mon Jun 18 14:13:29 2018 -0700

[Stable Only] Add amd-ssbd and amd-no-ssb CPU flags

Update the whitelist for the latest new CPU flags for mitigation
of recent security issues.

    Change-Id: I8686a4755777c8c720c40d4111cc469676d2a5fd
    Closes-Bug: #1777460
    (cherry picked from commit f8aca778f704983bc7ebb0a75d42914fee2dac06)
    (cherry picked from commit 682ee60803c0e6a468e701282a18cee1c118c9df)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-08: Fix included in openstack/nova 15.1.5

#10

This issue was fixed in the openstack/nova 15.1.5 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.