When nested kvm virtualization is used (with host-passthrough), if the first level guest is a trusty vm, odd behavior is seen in the second level guest:
host os:
disco/5.0.0-15.16-generic/qemu 1:3.1+dfsg-2ubuntu3.1
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT vulnerable
1st level vm:
trusty/4.4.0-148.174~14.04.1-generic/qemu 2.0.0+dfsg-2ubuntu1.46
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm:
bionic/4.15.0-50.54-generic
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Not affected
This behavior is not seen when the first level guest is a xenial or bionic vm (same bare metal hardware):
1st level vm:
bionic/4.15.0-50.54-generic/qemu 1:2.11+dfsg-1ubuntu7.13
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm:
bionic/4.15.0-50.54-generic
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT Host state unknown
and:
1st level vm:
xenial/4.4.0-148.174-generic/qemu 1:2.5+dfsg-5ubuntu10.39
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm:
bionic/4.15.0-50.54-generic
contents of /sys/devices/system/cpu/vulnerabilities/mds:
Mitigation: Clear CPU buffers; SMT Host state unknown
It's not clear whether this is an issue with linux/kvm or qemu in trusty.
When nested kvm virtualization is used (with host-passthrough), if the first level guest is a trusty vm, odd behavior is seen in the second level guest:
host os: 5.0.0-15. 16-generic/ qemu 1:3.1+dfsg- 2ubuntu3. 1 system/ cpu/vulnerabili ties/mds:
disco/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT vulnerable
1st level vm: 4.4.0-148. 174~14. 04.1-generic/ qemu 2.0.0+dfsg- 2ubuntu1. 46 system/ cpu/vulnerabili ties/mds:
trusty/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm: 4.15.0- 50.54-generic system/ cpu/vulnerabili ties/mds:
bionic/
contents of /sys/devices/
Not affected
This behavior is not seen when the first level guest is a xenial or bionic vm (same bare metal hardware):
1st level vm: 4.15.0- 50.54-generic/ qemu 1:2.11+ dfsg-1ubuntu7. 13 system/ cpu/vulnerabili ties/mds:
bionic/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm: 4.15.0- 50.54-generic system/ cpu/vulnerabili ties/mds:
bionic/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT Host state unknown
and:
1st level vm: 4.4.0-148. 174-generic/ qemu 1:2.5+dfsg- 5ubuntu10. 39 system/ cpu/vulnerabili ties/mds:
xenial/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT Host state unknown
2nd level vm: 4.15.0- 50.54-generic system/ cpu/vulnerabili ties/mds:
bionic/
contents of /sys/devices/
Mitigation: Clear CPU buffers; SMT Host state unknown
It's not clear whether this is an issue with linux/kvm or qemu in trusty.