extra CPU flags for machines; when to enable?

gnomegemini

Member
Mar 12, 2012
24
2
23
Hi there,

I'm aware of the extra cpu flags of a virtual machine. But my question is when to enable them and when to disable. What does a default setting mean? If a host cpu is patched should I enable i.e. pcid or not? Or does the setting emulate a secure cpu?
How does an other cpu type affect this setting (kvm64 vs qemu64 vs host on a decent xeon cpu)?

The documentation on this is not very meaningful if someone has no deeper knowledge.

Thanks in advance and kind regards,
Stefan
 
Our documentation includes a list of the flags related to sidechannel attacks here. In short, if you're running a somewhat recent CPU with the newest firmware, you can enable the following flags to provide either performance benefits (i.e. less performance hit from mitigations) or security benefits by allowing the guest kernel to use CPU mitigations for guest userspace:

* Intel: pcid, spec-ctrl, ssbd
* AMD: ibpb (or use CPU type with suffix -IBPB), virt-ssbd, amd-ssbd (if supported on host)

Note that as long as your host kernel is up to date, your host is safe from a malicious VM (regardless of CPU flags). The 'security' flags only help securing the guest kernel from guest applications (e.g. a program in a VM could trigger Spectre v4 without ssbd on Intel host CPUs, but that will only allow it to extract data from the guest kernel, never the host).

If you're using type 'host' this becomes even more tricky, since some flags will be passed to the VM anyway. In general, enable all you can if you require security (e.g. you're running untrusted software in a VM that also contains sensitive data), and pcid for less performance hit on Intel.

The other, non-sidechannel/speculative execution fixes (e.g. hv-tlbflush, aes, ...) are all for performance or specific features, you can safely ignore them if you do not have an explicit use-case. Otherwise searching the internet for the specific flag can often help understand what it does.
 
  • Like
Reactions: tariyo6321

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!