Lines Matching +full:- +full:- +full:disable +full:- +full:kvm
1 Recommendations for KVM CPU model configuration on x86 hosts
10 Two ways to configure CPU models with QEMU / KVM
16 the guest. Note that KVM may filter out some host CPU model features
51 lists the long term stable CPU model versions (eg Haswell-v4).
56 .. _ABI compatibility levels: https://gitlab.com/x86-psABIs/x86-64-ABI/
58 .. csv-table:: x86-64 ABI compatibility levels
59 :file: cpu-models-x86-abi.csv
61 :header-rows: 1
77 ``SierraForest``, ``SierraForest-v2``
78 Intel Xeon Processor (SierraForest, 2024), SierraForest-v2 mitigates
81 ``GraniteRapids``, ``GraniteRapids-v2``
84 ``Cascadelake-Server``, ``Cascadelake-Server-noTSX``
89 ``Skylake-Server``, ``Skylake-Server-IBRS``, ``Skylake-Server-IBRS-noTSX``
92 ``Skylake-Client``, ``Skylake-Client-IBRS``, ``Skylake-Client-noTSX-IBRS}``
95 ``Broadwell``, ``Broadwell-IBRS``, ``Broadwell-noTSX``, ``Broadwell-noTSX-IBRS``
98 ``Haswell``, ``Haswell-IBRS``, ``Haswell-noTSX``, ``Haswell-noTSX-IBRS``
101 ``IvyBridge``, ``IvyBridge-IBR``
102 Intel Xeon E3-12xx v2 (Ivy Bridge, 2012)
104 ``SandyBridge``, ``SandyBridge-IBRS``
107 ``Westmere``, ``Westmere-IBRS``
108 Westmere E56xx/L56xx/X56xx (Nehalem-C, 2010)
110 ``Nehalem``, ``Nehalem-IBRS``
130 Recommended to mitigate the cost of the Meltdown (CVE-2017-5754) fix.
138 ``spec-ctrl``
139 Required to enable the Spectre v2 (CVE-2017-5715) fix.
141 Included by default in Intel CPU models with -IBRS suffix.
143 Must be explicitly turned on for Intel CPU models without -IBRS
150 Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some
159 Required to enable the CVE-2018-3639 fix.
177 ``md-clear``
178 Required to confirm the MDS (CVE-2018-12126, CVE-2018-12127,
179 CVE-2018-12130, CVE-2019-11091) fixes.
188 ``mds-no``
190 to any of the MDS variants ([MFBDS] CVE-2018-12130, [MLPDS]
191 CVE-2018-12127, [MSBDS] CVE-2018-12126).
193 This is an MSR (Model-Specific Register) feature rather than a CPUID feature,
201 ``taa-no``
203 vulnerable to CVE-2019-11135, TSX Asynchronous Abort (TAA).
212 ``tsx-ctrl``
213 Recommended to inform the guest that it can disable the Intel TSX
216 processor-level instruction that performs checks on memory access) as
219 …<https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarch…
224 By disabling TSX, KVM-based guests can avoid paying the price of
225 mitigating TSX-based attacks.
227 Note that ``tsx-ctrl`` is also an MSR feature, therefore it does not show
236 ``bhi-no``
238 vulnerable to CVE-2022-0001, Branch History Injection (BHI).
247 ``gds-no``
249 vulnerable to CVE-2022-40982, Gather Data Sampling (GDS).
258 ``rfds-no``
260 vulnerable to CVE-2023-28746, Register File Data Sampling (RFDS).
279 ``EPYC``, ``EPYC-IBPB``
308 Required to enable the Spectre v2 (CVE-2017-5715) fix.
310 Included by default in AMD CPU models with -IBPB suffix.
312 Must be explicitly turned on for AMD CPU models without -IBPB suffix.
318 Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some
326 ``virt-ssbd``
327 Required to enable the CVE-2018-3639 fix
333 This should be provided to guests, even if amd-ssbd is also provided,
340 ``amd-ssbd``
341 Required to enable the CVE-2018-3639 fix
347 This provides higher performance than ``virt-ssbd`` so should be
348 exposed to guests whenever available in the host. ``virt-ssbd`` should
350 kernels only know about ``virt-ssbd``.
352 ``amd-no-ssb``
353 Recommended to indicate the host is not vulnerable CVE-2018-3639
358 CVE-2018-3639, and thus the guest should be told not to enable
359 its mitigations, by exposing amd-no-ssb. This is mutually
360 exclusive with virt-ssbd and amd-ssbd.
390 guests, when no ``-cpu`` argument is given to QEMU, or no ``<cpu>`` is
393 Other non-recommended x86 CPUs
401 Common KVM processor (32 & 64 bit variants).
423 .. parsed-literal::
425 |qemu_system| -cpu host
429 .. parsed-literal::
431 |qemu_system| -cpu host,vmx=off,...
435 .. parsed-literal::
437 |qemu_system| -cpu Westmere
441 .. parsed-literal::
443 |qemu_system| -cpu Westmere,pcid=on,...
450 <cpu mode='host-passthrough'/>
454 <cpu mode='host-passthrough'>
455 <feature name="vmx" policy="disable"/>
461 <cpu mode='host-model'/>
465 <cpu mode='host-model'>
466 <feature name="vmx" policy="disable"/>