Custom CPU model with security fix

[f4242]

Hello,

Am I wrong to define a custom x86-64-v2-AES like that?

in /etc/pve/virtual-guest/cpu-models.conf:

cpu-model: my-x86-64-v2-AES
        flags +aes;+popcnt;+pni;+sse4.1;+sse4.2;+ssse3;+md-clear;+pcid;+spec-ctrl;+ssbd;+pdpe1gb
        reported-model qemu64
        hidden 0

Goal is to avoid to mess up with cpu flags manually on every vm on a cluster with heterogeneous cpu.

spectre-meltdown-checker returns :

• On base x86-64-v2-AES:

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:KO CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:KO CVE-2018-12130:KO CVE-2018-12127:KO CVE-2019-11091:KO CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

• On my custom x86-64-v2-AES:

> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:KO CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK CVE-2019-11135:OK CVE-2018-12207:OK CVE-2020-0543:OK CVE-2023-20593:OK

CVE-2017-5715 is still KO but all others appears right.

CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'
* Mitigated according to the /sys interface: YES (Mitigation: Retpolines; STIBP: disabled; RSB filling; PBRSB-eIBRS: Not affected; BHI: Retpoline)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: NO
* Kernel is compiled with IBPB support: UNKNOWN (in offline mode, we need the kernel image to be able to tell)
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: NO
> STATUS: VULNERABLE (IBRS+IBPB or retpoline+IBPB is needed to mitigate the vulnerability)

On the host, everything is green.