Which host CPU, Intel, ARM or AMD?
Following the embargo lifting, the official proof of concept for Spectre 2 from Google was disclosed.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1272
https://news.ycombinator.com/item?id=16107691
Following analysis, we believe the PoC is only working on a specific software configuration.
PCID Flag
The PCID CPU flag helps to improve performance of the Meltdown vulnerability mitigation approach. In Linux the mitigation is called Kernel Page-Table Isolation (KPTI), which effectively hides the Kernel memory from the user space, which, without PCID, is a expensive operation .
There are two requirements to reduce the cost of the mitigation:
To check if the Proxmox VE host supports PCID, execute the following command as root:
- The host CPU must support PCID and propagate it to the guest’s virtual CPU(s)
- The guest Operating System must be updated to a version which mitigates the attack and utilizes the PCID feature marked by its flag.
# grep ' pcid ' /proc/cpuinfo
If this does not return empty your hosts CPU has support for PCID. If you use ‘host’ as CPU type and the guest OS is able to use it, your done. Else, the PCID CPU flag needs to get set for the virtual CPU. This can be done, for example, by editing the CPU through the WebUI.
qemu-server and pve-manager packages just got updated (up to pve-no-subscription) to allow passing through the PCID CPU flag to VMs for speeding up KPTI ...
ML11O crashed with -102 version.
I'm going to check -103 at the weekend.
You will get feedback, then.
I've seen -103 is available right now.
Thanks for your hard work.
Hi Fabian,qemu-server and pve-manager packages just got updated (up to pve-no-subscription) to allow passing through the PCID CPU flag to VMs for speeding up KPTI, see the admin guide for details:
Code:This can be done, for example, by editing the CPU through the WebUI.
Note that you need to shutdown and start (not reboot from within!) the VM for the changes to apply.
args: -cpu kvm64,+pcid
proxmox-ve: 5.1-35 (running kernel: 4.13.13-4-pve)
pve-manager: 5.1-41 (running version: 5.1-41/0b958203)
pve-kernel-4.4.98-3-pve: 4.4.98-102
pve-kernel-4.13.13-4-pve: 4.13.13-35
pve-kernel-4.13.13-3-pve: 4.13.13-34
libpve-http-server-perl: 2.0-8
lvm2: 2.02.168-pve6
corosync: 2.4.2-pve3
libqb0: 1.0.1-1
pve-cluster: 5.0-19
qemu-server: 5.0-18
pve-firmware: 2.0-3
libpve-common-perl: 5.0-25
libpve-guest-common-perl: 2.0-14
libpve-access-control: 5.0-7
libpve-storage-perl: 5.0-17
pve-libspice-server1: 0.12.8-3
vncterm: 1.5-3
pve-docs: 5.1-15
pve-qemu-kvm: 2.9.1-5
pve-container: 2.0-18
pve-firewall: 3.0-5
pve-ha-manager: 2.0-4
ksm-control-daemon: 1.2-2
glusterfs-client: 3.8.8-1
lxc-pve: 2.1.1-2
lxcfs: 2.0.8-1
criu: 2.11.1-1~bpo90
novnc-pve: 0.6-4
smartmontools: 6.5+svn4324-1
zfsutils-linux: 0.7.3-pve1~bpo9
openvswitch-switch: 2.7.0-2
ceph: 12.2.2-pve1
Hi Fabian,
perhaps I miss something, but I don't find the point in the gui!
If I add following line in a vm-config i get the pcid flag inside the vm:
In the gui I see below Edit: CPU options only VCPUs, CPU limit and CPU units...Code:args: -cpu kvm64,+pcid
My versions:
UdoCode:proxmox-ve: 5.1-35 (running kernel: 4.13.13-4-pve) pve-manager: 5.1-41 (running version: 5.1-41/0b958203) pve-kernel-4.4.98-3-pve: 4.4.98-102 pve-kernel-4.13.13-4-pve: 4.13.13-35 pve-kernel-4.13.13-3-pve: 4.13.13-34 libpve-http-server-perl: 2.0-8 lvm2: 2.02.168-pve6 corosync: 2.4.2-pve3 libqb0: 1.0.1-1 pve-cluster: 5.0-19 qemu-server: 5.0-18 pve-firmware: 2.0-3 libpve-common-perl: 5.0-25 libpve-guest-common-perl: 2.0-14 libpve-access-control: 5.0-7 libpve-storage-perl: 5.0-17 pve-libspice-server1: 0.12.8-3 vncterm: 1.5-3 pve-docs: 5.1-15 pve-qemu-kvm: 2.9.1-5 pve-container: 2.0-18 pve-firewall: 3.0-5 pve-ha-manager: 2.0-4 ksm-control-daemon: 1.2-2 glusterfs-client: 3.8.8-1 lxc-pve: 2.1.1-2 lxcfs: 2.0.8-1 criu: 2.11.1-1~bpo90 novnc-pve: 0.6-4 smartmontools: 6.5+svn4324-1 zfsutils-linux: 0.7.3-pve1~bpo9 openvswitch-switch: 2.7.0-2 ceph: 12.2.2-pve1
qemu-server and pve-manager packages just got updated (up to pve-no-subscription) to allow passing through the PCID CPU flag to VMs for speeding up KPTI, see the admin guide for details:
PCID Flag
The PCID CPU flag helps to improve performance of the Meltdown vulnerability mitigation approach. In Linux the mitigation is called Kernel Page-Table Isolation (KPTI), which effectively hides the Kernel memory from the user space, which, without PCID, is a expensive operation .
There are two requirements to reduce the cost of the mitigation:
To check if the Proxmox VE host supports PCID, execute the following command as root:
- The host CPU must support PCID and propagate it to the guest’s virtual CPU(s)
- The guest Operating System must be updated to a version which mitigates the attack and utilizes the PCID feature marked by its flag.
# grep ' pcid ' /proc/cpuinfo
If this does not return empty your hosts CPU has support for PCID. If you use ‘host’ as CPU type and the guest OS is able to use it, your done. Else, the PCID CPU flag needs to get set for the virtual CPU. This can be done, for example, by editing the CPU through the WebUI.
Note that you need to shutdown and start (not reboot from within!) the VM for the changes to apply.
To check if the Proxmox VE host supports PCID, execute the following command as root:
"Proxmox Host" = on the proxmox node = "PVE server"Where do we need to type this, in PVE server on in the KVM VM?
had to read this two times as well, it's really meant literally: there is an ("Type:") option called "host" now, which you have to select...The story about ‘host’ is not clear too.
CPU Type
Qemu can emulate a number different of CPU types from 486 to the latest Xeon processors. Each new processor generation adds new features, like hardware assisted 3d rendering, random number generation, memory protection, etc … Usually you should select for your VM a processor type which closely matches the CPU of the host system, as it means that the host CPU features (also called CPU flags ) will be available in your VMs. If you want an exact match, you can set the CPU type to host in which case the VM will have exactly the same CPU flags as your host system.
This has a downside though. If you want to do a live migration of VMs between different hosts, your VM might end up on a new system with a different CPU type. If the CPU flags passed to the guest are missing, the qemu process will stop. To remedy this Qemu has also its own CPU type kvm64, that Proxmox VE uses by defaults. kvm64 is a Pentium 4 look a like CPU type, which has a reduced CPU flags set, but is guaranteed to work everywhere.
In short, if you care about live migration and moving VMs between nodes, leave the kvm64 default. If you don’t care about live migration or have a homogeneous cluster where all nodes have the same CPU, set the CPU type to host, as in theory this will give your guests maximum performance.
"Proxmox Host" = on the proxmox node = "PVE server"
had to read this two times as well, it's really meant literally: there is an ("Type:") option called "host" now, which you have to select...
Hi Fabian,
perhaps I miss something, but I don't find the point in the gui!
If I add following line in a vm-config i get the pcid flag inside the vm:
In the gui I see below Edit: CPU options only VCPUs, CPU limit and CPU units...Code:args: -cpu kvm64,+pcid
My versions:
UdoCode:proxmox-ve: 5.1-35 (running kernel: 4.13.13-4-pve) pve-manager: 5.1-41 (running version: 5.1-41/0b958203) pve-kernel-4.4.98-3-pve: 4.4.98-102 pve-kernel-4.13.13-4-pve: 4.13.13-35 pve-kernel-4.13.13-3-pve: 4.13.13-34 libpve-http-server-perl: 2.0-8 lvm2: 2.02.168-pve6 corosync: 2.4.2-pve3 libqb0: 1.0.1-1 pve-cluster: 5.0-19 qemu-server: 5.0-18 pve-firmware: 2.0-3 libpve-common-perl: 5.0-25 libpve-guest-common-perl: 2.0-14 libpve-access-control: 5.0-7 libpve-storage-perl: 5.0-17 pve-libspice-server1: 0.12.8-3 vncterm: 1.5-3 pve-docs: 5.1-15 pve-qemu-kvm: 2.9.1-5 pve-container: 2.0-18 pve-firewall: 3.0-5 pve-ha-manager: 2.0-4 ksm-control-daemon: 1.2-2 glusterfs-client: 3.8.8-1 lxc-pve: 2.1.1-2 lxcfs: 2.0.8-1 criu: 2.11.1-1~bpo90 novnc-pve: 0.6-4 smartmontools: 6.5+svn4324-1 zfsutils-linux: 0.7.3-pve1~bpo9 openvswitch-switch: 2.7.0-2 ceph: 12.2.2-pve1
it's really necesary to update bios? not enough update kernel for meltdown?Warning: problems with Meltdown patched BIOS on some Dell servers (instabilities).
I've not more details.
So performance are poor with PTI than without PTI on guest CPU??