xref: /openbmc/qemu/docs/system/cpu-models-x86.rst.inc (revision 407bc4bf9027f7ac4333e47cd900d773b99a23e3) 
1Recommendations for KVM CPU model configuration on x86 hosts
2============================================================
3
4The information that follows provides recommendations for configuring
5CPU models on x86 hosts. The goals are to maximise performance, while
6protecting guest OS against various CPU hardware flaws, and optionally
7enabling live migration between hosts with heterogeneous CPU models.
8
9
10Two ways to configure CPU models with QEMU / KVM
11^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
12
13(1) **Host passthrough**
14
15    This passes the host CPU model features, model, stepping, exactly to
16    the guest. Note that KVM may filter out some host CPU model features
17    if they cannot be supported with virtualization. Live migration is
18    unsafe when this mode is used as libvirt / QEMU cannot guarantee a
19    stable CPU is exposed to the guest across hosts. This is the
20    recommended CPU to use, provided live migration is not required.
21
22(2) **Named model**
23
24    QEMU comes with a number of predefined named CPU models, that
25    typically refer to specific generations of hardware released by
26    Intel and AMD.  These allow the guest VMs to have a degree of
27    isolation from the host CPU, allowing greater flexibility in live
28    migrating between hosts with differing hardware.  @end table
29
30In both cases, it is possible to optionally add or remove individual CPU
31features, to alter what is presented to the guest by default.
32
33Libvirt supports a third way to configure CPU models known as "Host
34model".  This uses the QEMU "Named model" feature, automatically picking
35a CPU model that is similar the host CPU, and then adding extra features
36to approximate the host model as closely as possible. This does not
37guarantee the CPU family, stepping, etc will precisely match the host
38CPU, as they would with "Host passthrough", but gives much of the
39benefit of passthrough, while making live migration safe.
40
41
42ABI compatibility levels for CPU models
43^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
44
45The x86_64 architecture has a number of `ABI compatibility levels`_
46defined. Traditionally most operating systems and toolchains would
47only target the original baseline ABI. It is expected that in
48future OS and toolchains are likely to target newer ABIs. The
49table that follows illustrates which ABI compatibility levels
50can be satisfied by the QEMU CPU models. Note that the table only
51lists the long term stable CPU model versions (eg Haswell-v4).
52In addition to what is listed, there are also many CPU model
53aliases which resolve to a different CPU model version,
54depending on the machine type is in use.
55
56.. _ABI compatibility levels: https://gitlab.com/x86-psABIs/x86-64-ABI/
57
58.. csv-table:: x86-64 ABI compatibility levels
59   :file: cpu-models-x86-abi.csv
60   :widths: 40,15,15,15,15
61   :header-rows: 1
62
63
64Preferred CPU models for Intel x86 hosts
65^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
66
67The following CPU models are preferred for use on Intel hosts.
68Administrators / applications are recommended to use the CPU model that
69matches the generation of the host CPUs in use. In a deployment with a
70mixture of host CPU models between machines, if live migration
71compatibility is required, use the newest CPU model that is compatible
72across all desired hosts.
73
74``ClearwaterForest``
75    Intel Xeon Processor (ClearwaterForest, 2025)
76
77``SierraForest``, ``SierraForest-v2``
78    Intel Xeon Processor (SierraForest, 2024), SierraForest-v2 mitigates
79    the GDS and RFDS vulnerabilities with stepping 3.
80
81``GraniteRapids``, ``GraniteRapids-v2``
82    Intel Xeon Processor (GraniteRapids, 2024)
83
84``Cascadelake-Server``, ``Cascadelake-Server-noTSX``
85    Intel Xeon Processor (Cascade Lake, 2019), with "stepping" levels 6
86    or 7 only.  (The Cascade Lake Xeon processor with *stepping 5 is
87    vulnerable to MDS variants*.)
88
89``Skylake-Server``, ``Skylake-Server-IBRS``, ``Skylake-Server-IBRS-noTSX``
90    Intel Xeon Processor (Skylake, 2016)
91
92``Skylake-Client``, ``Skylake-Client-IBRS``, ``Skylake-Client-noTSX-IBRS}``
93    Intel Core Processor (Skylake, 2015)
94
95``Broadwell``, ``Broadwell-IBRS``, ``Broadwell-noTSX``, ``Broadwell-noTSX-IBRS``
96    Intel Core Processor (Broadwell, 2014)
97
98``Haswell``, ``Haswell-IBRS``, ``Haswell-noTSX``, ``Haswell-noTSX-IBRS``
99    Intel Core Processor (Haswell, 2013)
100
101``IvyBridge``, ``IvyBridge-IBR``
102    Intel Xeon E3-12xx v2 (Ivy Bridge, 2012)
103
104``SandyBridge``, ``SandyBridge-IBRS``
105    Intel Xeon E312xx (Sandy Bridge, 2011)
106
107``Westmere``, ``Westmere-IBRS``
108    Westmere E56xx/L56xx/X56xx (Nehalem-C, 2010)
109
110``Nehalem``, ``Nehalem-IBRS``
111    Intel Core i7 9xx (Nehalem Class Core i7, 2008)
112
113``Penryn``
114    Intel Core 2 Duo P9xxx (Penryn Class Core 2, 2007)
115
116``Conroe``
117    Intel Celeron_4x0 (Conroe/Merom Class Core 2, 2006)
118
119
120Important CPU features for Intel x86 hosts
121^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
122
123The following are important CPU features that should be used on Intel
124x86 hosts, when available in the host CPU. Some of them require explicit
125configuration to enable, as they are not included by default in some, or
126all, of the named CPU models listed above. In general all of these
127features are included if using "Host passthrough" or "Host model".
128
129``pcid``
130  Recommended to mitigate the cost of the Meltdown (CVE-2017-5754) fix.
131
132  Included by default in Haswell, Broadwell & Skylake Intel CPU models.
133
134  Should be explicitly turned on for Westmere, SandyBridge, and
135  IvyBridge Intel CPU models. Note that some desktop/mobile Westmere
136  CPUs cannot support this feature.
137
138``spec-ctrl``
139  Required to enable the Spectre v2 (CVE-2017-5715) fix.
140
141  Included by default in Intel CPU models with -IBRS suffix.
142
143  Must be explicitly turned on for Intel CPU models without -IBRS
144  suffix.
145
146  Requires the host CPU microcode to support this feature before it
147  can be used for guest CPUs.
148
149``stibp``
150  Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some
151  operating systems.
152
153  Must be explicitly turned on for all Intel CPU models.
154
155  Requires the host CPU microcode to support this feature before it can
156  be used for guest CPUs.
157
158``ssbd``
159  Required to enable the CVE-2018-3639 fix.
160
161  Not included by default in any Intel CPU model.
162
163  Must be explicitly turned on for all Intel CPU models.
164
165  Requires the host CPU microcode to support this feature before it
166  can be used for guest CPUs.
167
168``pdpe1gb``
169  Recommended to allow guest OS to use 1GB size pages.
170
171  Not included by default in any Intel CPU model.
172
173  Should be explicitly turned on for all Intel CPU models.
174
175  Note that not all CPU hardware will support this feature.
176
177``md-clear``
178  Required to confirm the MDS (CVE-2018-12126, CVE-2018-12127,
179  CVE-2018-12130, CVE-2019-11091) fixes.
180
181  Not included by default in any Intel CPU model.
182
183  Must be explicitly turned on for all Intel CPU models.
184
185  Requires the host CPU microcode to support this feature before it
186  can be used for guest CPUs.
187
188``mds-no``
189  Recommended to inform the guest OS that the host is *not* vulnerable
190  to any of the MDS variants ([MFBDS] CVE-2018-12130, [MLPDS]
191  CVE-2018-12127, [MSBDS] CVE-2018-12126).
192
193  This is an MSR (Model-Specific Register) feature rather than a CPUID feature,
194  therefore it will not appear in the Linux ``/proc/cpuinfo`` in the host or
195  guest.  Instead, the host kernel uses it to populate the MDS
196  vulnerability file in ``sysfs``.
197
198  So it should only be enabled for VMs if the host reports @code{Not
199  affected} in the ``/sys/devices/system/cpu/vulnerabilities/mds`` file.
200
201``taa-no``
202  Recommended to inform the guest that the host is ``not``
203  vulnerable to CVE-2019-11135, TSX Asynchronous Abort (TAA).
204
205  This is also an MSR feature, therefore it does not show up in the Linux
206  ``/proc/cpuinfo`` in the host or guest.
207
208  It should only be enabled for VMs if the host reports ``Not affected``
209  in the ``/sys/devices/system/cpu/vulnerabilities/tsx_async_abort``
210  file.
211
212``tsx-ctrl``
213  Recommended to inform the guest that it can disable the Intel TSX
214  (Transactional Synchronization Extensions) feature; or, if the
215  processor is vulnerable, use the Intel VERW instruction (a
216  processor-level instruction that performs checks on memory access) as
217  a mitigation for the TAA vulnerability.  (For details, refer to
218  Intel's `deep dive into MDS
219  <https://software.intel.com/security-software-guidance/insights/deep-dive-intel-analysis-microarchitectural-data-sampling>`_.)
220
221  Expose this to the guest OS if and only if: (a) the host has TSX
222  enabled; *and* (b) the guest has ``rtm`` CPU flag enabled.
223
224  By disabling TSX, KVM-based guests can avoid paying the price of
225  mitigating TSX-based attacks.
226
227  Note that ``tsx-ctrl`` is also an MSR feature, therefore it does not show
228  up in the Linux ``/proc/cpuinfo`` in the host or guest.
229
230  To validate that Intel TSX is indeed disabled for the guest, there are
231  two ways: (a) check for the *absence* of ``rtm`` in the guest's
232  ``/proc/cpuinfo``; or (b) the
233  ``/sys/devices/system/cpu/vulnerabilities/tsx_async_abort`` file in
234  the guest should report ``Mitigation: TSX disabled``.
235
236``bhi-no``
237  Recommended to inform the guest that the host is ``not``
238  vulnerable to CVE-2022-0001, Branch History Injection (BHI).
239
240  This is also an MSR feature, therefore it does not show up in the Linux
241  ``/proc/cpuinfo`` in the host or guest.
242
243  It should only be enabled for VMs if the host reports
244  ``BHI: Not affected`` in the
245  ``/sys/devices/system/cpu/vulnerabilities/spectre_v2`` file.
246
247``gds-no``
248  Recommended to inform the guest that the host is ``not``
249  vulnerable to CVE-2022-40982, Gather Data Sampling (GDS).
250
251  This is also an MSR feature, therefore it does not show up in the Linux
252  ``/proc/cpuinfo`` in the host or guest.
253
254  It should only be enabled for VMs if the host reports ``Not affected``
255  in the ``/sys/devices/system/cpu/vulnerabilities/gather_data_sampling``
256  file.
257
258``rfds-no``
259  Recommended to inform the guest that the host is ``not``
260  vulnerable to CVE-2023-28746, Register File Data Sampling (RFDS).
261
262  This is also an MSR feature, therefore it does not show up in the Linux
263  ``/proc/cpuinfo`` in the host or guest.
264
265  It should only be enabled for VMs if the host reports ``Not affected``
266  in the ``/sys/devices/system/cpu/vulnerabilities/reg_file_data_sampling``
267  file.
268
269Preferred CPU models for AMD x86 hosts
270^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
271
272The following CPU models are preferred for use on AMD hosts.
273Administrators / applications are recommended to use the CPU model that
274matches the generation of the host CPUs in use. In a deployment with a
275mixture of host CPU models between machines, if live migration
276compatibility is required, use the newest CPU model that is compatible
277across all desired hosts.
278
279``EPYC``, ``EPYC-IBPB``
280    AMD EPYC Processor (2017)
281
282``Opteron_G5``
283    AMD Opteron 63xx class CPU (2012)
284
285``Opteron_G4``
286    AMD Opteron 62xx class CPU (2011)
287
288``Opteron_G3``
289    AMD Opteron 23xx (Gen 3 Class Opteron, 2009)
290
291``Opteron_G2``
292    AMD Opteron 22xx (Gen 2 Class Opteron, 2006)
293
294``Opteron_G1``
295    AMD Opteron 240 (Gen 1 Class Opteron, 2004)
296
297
298Important CPU features for AMD x86 hosts
299^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
300
301The following are important CPU features that should be used on AMD x86
302hosts, when available in the host CPU. Some of them require explicit
303configuration to enable, as they are not included by default in some, or
304all, of the named CPU models listed above. In general all of these
305features are included if using "Host passthrough" or "Host model".
306
307``ibpb``
308  Required to enable the Spectre v2 (CVE-2017-5715) fix.
309
310  Included by default in AMD CPU models with -IBPB suffix.
311
312  Must be explicitly turned on for AMD CPU models without -IBPB suffix.
313
314  Requires the host CPU microcode to support this feature before it
315  can be used for guest CPUs.
316
317``stibp``
318  Required to enable stronger Spectre v2 (CVE-2017-5715) fixes in some
319  operating systems.
320
321  Must be explicitly turned on for all AMD CPU models.
322
323  Requires the host CPU microcode to support this feature before it
324  can be used for guest CPUs.
325
326``virt-ssbd``
327  Required to enable the CVE-2018-3639 fix
328
329  Not included by default in any AMD CPU model.
330
331  Must be explicitly turned on for all AMD CPU models.
332
333  This should be provided to guests, even if amd-ssbd is also provided,
334  for maximum guest compatibility.
335
336  Note for some QEMU / libvirt versions, this must be force enabled when
337  when using "Host model", because this is a virtual feature that
338  doesn't exist in the physical host CPUs.
339
340``amd-ssbd``
341  Required to enable the CVE-2018-3639 fix
342
343  Not included by default in any AMD CPU model.
344
345  Must be explicitly turned on for all AMD CPU models.
346
347  This provides higher performance than ``virt-ssbd`` so should be
348  exposed to guests whenever available in the host. ``virt-ssbd`` should
349  none the less also be exposed for maximum guest compatibility as some
350  kernels only know about ``virt-ssbd``.
351
352``amd-no-ssb``
353  Recommended to indicate the host is not vulnerable CVE-2018-3639
354
355  Not included by default in any AMD CPU model.
356
357  Future hardware generations of CPU will not be vulnerable to
358  CVE-2018-3639, and thus the guest should be told not to enable
359  its mitigations, by exposing amd-no-ssb. This is mutually
360  exclusive with virt-ssbd and amd-ssbd.
361
362``pdpe1gb``
363  Recommended to allow guest OS to use 1GB size pages
364
365  Not included by default in any AMD CPU model.
366
367  Should be explicitly turned on for all AMD CPU models.
368
369  Note that not all CPU hardware will support this feature.
370
371
372Default x86 CPU models
373^^^^^^^^^^^^^^^^^^^^^^
374
375The default QEMU CPU models are designed such that they can run on all
376hosts.  If an application does not wish to do perform any host
377compatibility checks before launching guests, the default is guaranteed
378to work.
379
380The default CPU models will, however, leave the guest OS vulnerable to
381various CPU hardware flaws, so their use is strongly discouraged.
382Applications should follow the earlier guidance to setup a better CPU
383configuration, with host passthrough recommended if live migration is
384not needed.
385
386``qemu32``, ``qemu64``
387    QEMU Virtual CPU version 2.5+ (32 & 64 bit variants)
388
389``qemu64`` is used for x86_64 guests and ``qemu32`` is used for i686
390guests, when no ``-cpu`` argument is given to QEMU, or no ``<cpu>`` is
391provided in libvirt XML.
392
393Other non-recommended x86 CPUs
394^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
395
396The following CPUs models are compatible with most AMD and Intel x86
397hosts, but their usage is discouraged, as they expose a very limited
398featureset, which prevents guests having optimal performance.
399
400``kvm32``, ``kvm64``
401    Common KVM processor (32 & 64 bit variants).
402
403    Legacy models just for historical compatibility with ancient QEMU
404    versions.
405
406``486``, ``athlon``, ``phenom``, ``coreduo``, ``core2duo``, ``n270``, ``pentium``, ``pentium2``, ``pentium3``
407    Various very old x86 CPU models, mostly predating the introduction
408    of hardware assisted virtualization, that should thus not be
409    required for running virtual machines.
410
411
412Syntax for configuring CPU models
413=================================
414
415The examples below illustrate the approach to configuring the various
416CPU models / features in QEMU and libvirt.
417
418QEMU command line
419^^^^^^^^^^^^^^^^^
420
421Host passthrough:
422
423.. parsed-literal::
424
425  |qemu_system| -cpu host
426
427Host passthrough with feature customization:
428
429.. parsed-literal::
430
431  |qemu_system| -cpu host,vmx=off,...
432
433Named CPU models:
434
435.. parsed-literal::
436
437  |qemu_system| -cpu Westmere
438
439Named CPU models with feature customization:
440
441.. parsed-literal::
442
443  |qemu_system| -cpu Westmere,pcid=on,...
444
445Libvirt guest XML
446^^^^^^^^^^^^^^^^^
447
448Host passthrough::
449
450    <cpu mode='host-passthrough'/>
451
452Host passthrough with feature customization::
453
454    <cpu mode='host-passthrough'>
455        <feature name="vmx" policy="disable"/>
456        ...
457    </cpu>
458
459Host model::
460
461    <cpu mode='host-model'/>
462
463Host model with feature customization::
464
465    <cpu mode='host-model'>
466        <feature name="vmx" policy="disable"/>
467        ...
468    </cpu>
469
470Named model::
471
472    <cpu mode='custom'>
473        <model name="Westmere"/>
474    </cpu>
475
476Named model with feature customization::
477
478    <cpu mode='custom'>
479        <model name="Westmere"/>
480        <feature name="pcid" policy="require"/>
481        ...
482    </cpu>
483