extra CPU flags for machines; when to enable?

[gnomegemini]

Hi there,

I'm aware of the extra cpu flags of a virtual machine. But my question is when to enable them and when to disable. What does a default setting mean? If a host cpu is patched should I enable i.e. pcid or not? Or does the setting emulate a secure cpu?
How does an other cpu type affect this setting (kvm64 vs qemu64 vs host on a decent xeon cpu)?

The documentation on this is not very meaningful if someone has no deeper knowledge.

Thanks in advance and kind regards,
Stefan

 

[Stefan_R]

Our documentation includes a list of the flags related to sidechannel attacks here. In short, if you're running a somewhat recent CPU with the newest firmware, you can enable the following flags to provide either performance benefits (i.e. less performance hit from mitigations) or security benefits by allowing the guest kernel to use CPU mitigations for guest userspace:

* Intel: pcid, spec-ctrl, ssbd
* AMD: ibpb (or use CPU type with suffix -IBPB), virt-ssbd, amd-ssbd (if supported on host)

Note that as long as your host kernel is up to date, your host is safe from a malicious VM (regardless of CPU flags). The 'security' flags only help securing the guest kernel from guest applications (e.g. a program in a VM could trigger Spectre v4 without ssbd on Intel host CPUs, but that will only allow it to extract data from the guest kernel, never the host).

If you're using type 'host' this becomes even more tricky, since some flags will be passed to the VM anyway. In general, enable all you can if you require security (e.g. you're running untrusted software in a VM that also contains sensitive data), and pcid for less performance hit on Intel.

The other, non-sidechannel/speculative execution fixes (e.g. hv-tlbflush, aes, ...) are all for performance or specific features, you can safely ignore them if you do not have an explicit use-case. Otherwise searching the internet for the specific flag can often help understand what it does.