Necessary CPU flags

[TheHellSite]

Hello,

after reading trough the whole Proxmox Wiki to get the best VM settings for my needs, the only thing left are the required / necessary CPU flags.
Below you can find a picture of all the CPU flags available in my Proxmox node powered by an Intel J3160. (Intel ARK)
Number one priority for me is performance and security, but also stability.

I already figured out that I have to enable "aes", at least for OpenWrt as it will be running an OpenVPN server + client.
As far as I can tell I don't need the red marked flags, since they either expect an AMD CPU or nested virtualization, both of which don't apply for my setup.

Which of the other six flags do I need to set for my OpenWrt and Debian VMs?

Spoiler: /sys/devices/system/cpu/vulnerabilities/

root@PVE:~# for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done
itlb_multihit - Not affected
l1tf - Not affected
mds - Vulnerable: Clear CPU buffers attempted, no microcode; SMT disabled
meltdown - Mitigation: PTI
spec_store_bypass - Not affected
spectre_v1 - Mitigation: usercopy/swapgs barriers and __user pointer sanitization
spectre_v2 - Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
tsx_async_abort - Not affected
root@PVE:~#

P.S.: I also attached a performance test I ran in my OpenWrt VM without and with the "aes" flag set.

Kind Regards
TheHellSite

 

[wolfgang]

Hi,
use the "host" CPU type and the flags will set correct and secure way.

 

[TheHellSite]

But this would mean that I will be unable to export / import these VMs on other Nodes with a different CPU. If I understood the wiki correctly.

"This has a downside though. If you want to do a live migration of VMs between different hosts, your VM might end up on a new system with a different CPU type. If the CPU flags passed to the guest are missing, the qemu process will stop. To remedy this Qemu has also its own CPU type kvm64 "

Because of that I am asking which of the 6 cpu flags are best for me to set.

 

[wolfgang]

But this would mean that I will be unable to export / import these VMs on other Nodes with a different CPU. If I understood the wiki correctly.

No just live-migration will only work when CPU is the same.
Offline/export will not affect this.

If you like to use live-migration then use the oldest CPU type in your cluster.

 

[TheHellSite]

So pve behaves is differently than real systems where you could get some troubles, f.e. switching from an Intel to an AMD CPU?

Lets say one day I replace my Intel pve-system with one that is powered by an AMD CPU. I just install proxmox again, configure it like before, import all the VMs and the all VMs will run like nothing has changed? Even if there are Windows VMs?

Or does work like this: By selecting "host" as cpu type pve gives the VM all the CPU flags of the real CPU but still creates a virtualCPU rather than directly passing trough the CPU to the VM?

 

[wolfgang]

So pve behaves is differently than real systems where you could get some troubles, f.e. switching from an Intel to an AMD CPU?

On real systems, you do no live-migration. ;-)

Live-migration with different CPU manufacturers does not work.

Linux load the actual drivers for the needed CPU(Flags).
Modern Windows do the same but you have maybe registered your VM again, but this is no technical problem it is a license problem.

By selecting "host" as cpu type pve gives the VM all the CPU flags of the real CPU but still creates a virtualCPU rather than directly passing trough the CPU to the VM?

It is more like a filter. You can't enable CPU-flags which the CPU does not support. This will always end with a nonstarting VM.

 

[TheHellSite]

I now figured out that the only possible flags for my system are "spec-ctrl" and "aes".

I will stick with the kvm64 CPU because of compatibility.