Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Li Qiang]

2018-01-18 18:49 GMT+08:00 Daniel P. Berrange <address@hidden>:

> On Thu, Jan 18, 2018 at 06:38:57PM +0800, Li Qiang wrote:
> > Hi Paolo, all,
> >
> > I have a question about the intel microcode update for spectre variant#2.
> > From my understanding, there is no need to update the microcode of VMs
> > because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> > Also, if we need to update the micorcode in guest, who is the vendor for
> > this.
> > From the hyper-v, I think I'm right.
> > -->
> > https://docs.microsoft.com/en-us/virtualization/hyper-v-on-
> windows/CVE-2017-5715-and-hyper-v-vms
> >
> > But upon I update the centos guest, the host kvm/qemu has been updated.
> > The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> > microcode in the guest.
> > If I update the guest micorcode, the are both 1.
> >
> > So I want to know, if I should update the microcode in guest.
> > If the answer is Yes, then what about the Windows guest, how to update
> the
> > microcode?
>
> Microcode updates are only applicable to the physical CPUs seen by the
> host. There is no concept of microcde for virtual CPUs in the guest. The
> guest merely sees whatever CPU feature the hypervisor has permitted it to
> see. IOW, as described in that microsoft link, you need to
>
>  - Update microcode and/or firmware in host
>  - Update host hypervisor software
>  - Change hypervisor config for each guest to enable new CPU features
>  - Update guest software (kernel)
>  - Cold boot (ie fully shutoff, and then power on) the guest
>
>
You are right. I have made a mistake, the test guest centos doesn't
schedule to the host which I have updated the kvm/qemu.
Thanks!

Li Qiang


> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>