Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Daniel P. Berrange]

On Thu, Jan 18, 2018 at 06:38:57PM +0800, Li Qiang wrote:
> Hi Paolo, all,
> 
> I have a question about the intel microcode update for spectre variant#2.
> From my understanding, there is no need to update the microcode of VMs
> because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> Also, if we need to update the micorcode in guest, who is the vendor for
> this.
> From the hyper-v, I think I'm right.
> -->
> https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
> 
> But upon I update the centos guest, the host kvm/qemu has been updated.
> The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> microcode in the guest.
> If I update the guest micorcode, the are both 1.
>
> So I want to know, if I should update the microcode in guest.
> If the answer is Yes, then what about the Windows guest, how to update the
> microcode?

Microcode updates are only applicable to the physical CPUs seen by the
host. There is no concept of microcde for virtual CPUs in the guest. The
guest merely sees whatever CPU feature the hypervisor has permitted it to
see. IOW, as described in that microsoft link, you need to

 - Update microcode and/or firmware in host
 - Update host hypervisor software
 - Change hypervisor config for each guest to enable new CPU features
 - Update guest software (kernel)
 - Cold boot (ie fully shutoff, and then power on) the guest

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|