[Qemu-devel] Do I need update the microcode of virtual machine

[Qemu-devel] Do I need update the microcode of virtual machine

[Li Qiang]

Hi Paolo, all,

I have a question about the intel microcode update for spectre variant#2.
>From my understanding, there is no need to update the microcode of VMs
because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
Also, if we need to update the micorcode in guest, who is the vendor for
this.
>From the hyper-v, I think I'm right.
-->
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms

But upon I update the centos guest, the host kvm/qemu has been updated.
The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
microcode in the guest.
If I update the guest micorcode, the are both 1.

So I want to know, if I should update the microcode in guest.
If the answer is Yes, then what about the Windows guest, how to update the
microcode?


Thanks,
Li Qiang

Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Paolo Bonzini]

On 18/01/2018 11:38, Li Qiang wrote:
> Hi Paolo, all,
> 
> I have a question about the intel microcode update for spectre variant#2.
> From my understanding, there is no need to update the microcode of VMs
> because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> Also, if we need to update the micorcode in guest, who is the vendor for
> this.

The guest has no microcode of it's own, but you need to update the
microcode in the host.  You also need to update the kernel, QEMU and
libvirt if you are using it.

> From the hyper-v, I think I'm right.
> -->https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
> 
> But upon I update the centos guest, the host kvm/qemu has been updated.
> The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> microcode in the guest. If I update the guest micorcode, the are both 1.

What do you mean by "update the guest microcode"?  Did you mean host?

Paolo

> 
> So I want to know, if I should update the microcode in guest. 
> If the answer is Yes, then what about the Windows guest, how to update
> the microcode?
> 
> 
> Thanks,
> Li Qiang

Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Li Qiang]

2018-01-18 18:43 GMT+08:00 Paolo Bonzini <pbonzini@redhat.com>:

> On 18/01/2018 11:38, Li Qiang wrote:
> > Hi Paolo, all,
> >
> > I have a question about the intel microcode update for spectre variant#2.
> > From my understanding, there is no need to update the microcode of VMs
> > because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> > Also, if we need to update the micorcode in guest, who is the vendor for
> > this.
>
> The guest has no microcode of it's own, but you need to update the
> microcode in the host.  You also need to update the kernel, QEMU and
> libvirt if you are using it.
>
> > From the hyper-v, I think I'm right.
> > -->https://docs.microsoft.com/en-us/virtualization/hyper-v-
> on-windows/CVE-2017-5715-and-hyper-v-vms
> >
> > But upon I update the centos guest, the host kvm/qemu has been updated.
> > The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> > microcode in the guest. If I update the guest micorcode, the are both 1.
>
> What do you mean by "update the guest microcode"?  Did you mean host?
>

No, here mean the guest. By overwrite guest's files in
/lib/firmware/intel-ucode/ directory and "echo 1 >
/sys/devices/system/cpu/microcode/reload" as Intel's instruction says.
The host's kvm and qemu has been got updated before this.

Thanks,
Li Qiang


>
> Paolo
>
> >
> > So I want to know, if I should update the microcode in guest.
> > If the answer is Yes, then what about the Windows guest, how to update
> > the microcode?
> >
> >
> > Thanks,
> > Li Qiang
>
>

Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Daniel P. Berrange]

On Thu, Jan 18, 2018 at 06:38:57PM +0800, Li Qiang wrote:
> Hi Paolo, all,
> 
> I have a question about the intel microcode update for spectre variant#2.
> From my understanding, there is no need to update the microcode of VMs
> because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> Also, if we need to update the micorcode in guest, who is the vendor for
> this.
> From the hyper-v, I think I'm right.
> -->
> https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/CVE-2017-5715-and-hyper-v-vms
> 
> But upon I update the centos guest, the host kvm/qemu has been updated.
> The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> microcode in the guest.
> If I update the guest micorcode, the are both 1.
>
> So I want to know, if I should update the microcode in guest.
> If the answer is Yes, then what about the Windows guest, how to update the
> microcode?

Microcode updates are only applicable to the physical CPUs seen by the
host. There is no concept of microcde for virtual CPUs in the guest. The
guest merely sees whatever CPU feature the hypervisor has permitted it to
see. IOW, as described in that microsoft link, you need to

 - Update microcode and/or firmware in host
 - Update host hypervisor software
 - Change hypervisor config for each guest to enable new CPU features
 - Update guest software (kernel)
 - Cold boot (ie fully shutoff, and then power on) the guest

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Paolo Bonzini]

On 18/01/2018 11:48, Li Qiang wrote:
> 
>     > But upon I update the centos guest, the host kvm/qemu has been updated.
>     > The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
>     > microcode in the guest. If I update the guest micorcode, the are both 1.
> 
>     What do you mean by "update the guest microcode"?  Did you mean host?
> 
> 
> No, here mean the guest. By overwrite guest's files in
> /lib/firmware/intel-ucode/ directory and "echo 1 >
> /sys/devices/system/cpu/microcode/reload" as Intel's instruction says.
> The host's kvm and qemu has been got updated before this.

No, that has no effect.

Paolo

Re: [Qemu-devel] Do I need update the microcode of virtual machine

[Li Qiang]

2018-01-18 18:49 GMT+08:00 Daniel P. Berrange <berrange@redhat.com>:

> On Thu, Jan 18, 2018 at 06:38:57PM +0800, Li Qiang wrote:
> > Hi Paolo, all,
> >
> > I have a question about the intel microcode update for spectre variant#2.
> > From my understanding, there is no need to update the microcode of VMs
> > because the kvm has expose the SPEC_CTL and PRED_CMD to the guest.
> > Also, if we need to update the micorcode in guest, who is the vendor for
> > this.
> > From the hyper-v, I think I'm right.
> > -->
> > https://docs.microsoft.com/en-us/virtualization/hyper-v-on-
> windows/CVE-2017-5715-and-hyper-v-vms
> >
> > But upon I update the centos guest, the host kvm/qemu has been updated.
> > The IBPB_ENABLED and IBRS_ENABLED are both zero if I don't update the
> > microcode in the guest.
> > If I update the guest micorcode, the are both 1.
> >
> > So I want to know, if I should update the microcode in guest.
> > If the answer is Yes, then what about the Windows guest, how to update
> the
> > microcode?
>
> Microcode updates are only applicable to the physical CPUs seen by the
> host. There is no concept of microcde for virtual CPUs in the guest. The
> guest merely sees whatever CPU feature the hypervisor has permitted it to
> see. IOW, as described in that microsoft link, you need to
>
>  - Update microcode and/or firmware in host
>  - Update host hypervisor software
>  - Change hypervisor config for each guest to enable new CPU features
>  - Update guest software (kernel)
>  - Cold boot (ie fully shutoff, and then power on) the guest
>
>
You are right. I have made a mistake, the test guest centos doesn't
schedule to the host which I have updated the kvm/qemu.
Thanks!

Li Qiang


> Regards,
> Daniel
> --
> |: https://berrange.com      -o-    https://www.flickr.com/photos/
> dberrange :|
> |: https://libvirt.org         -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org    -o-    https://www.instagram.com/
> dberrange :|
>