From 291f2ef21486cb54aadd40f07052aedfebef3792 Mon Sep 17 00:00:00 2001 From: Pavel Hrdina Date: Tue, 9 Apr 2019 13:13:46 +0200 Subject: [PATCH] DomainCpu: fix detection of CPU security features VM configured with mode="host-model" will have the CPU definition expanded once the VM is started. Libvirt will try to use the closest CPU model with some features enabled/disabled. The issue is that there are some models that include spec-ctrl or ibpb features and they will not appear in the explicit list of features and virt-manager will not correctly detect if all security features are enabled or not. As a workaround we can check the suffix of CPU model to figure out which security features are enabled by the model itself. Signed-off-by: Pavel Hrdina --- virtinst/domain/cpu.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/virtinst/domain/cpu.py b/virtinst/domain/cpu.py index 45fdbd3a..fa2df6de 100644 --- a/virtinst/domain/cpu.py +++ b/virtinst/domain/cpu.py @@ -134,15 +134,13 @@ class DomainCpu(XMLBuilder): self.secure = False return - for feature in features: - exists = False - for f in self.features: - if f.name == feature and f.policy == "require": - exists = True - break - if not exists: - self.secure = False - return + guestFeatures = [f.name for f in self.features if f.policy == "require"] + if self.model.endswith("IBRS"): + guestFeatures.append("spec-ctrl") + if self.model.endswith("IBPB"): + guestFeatures.append("ibpb") + + self.secure = set(features) <= set(guestFeatures) def _remove_security_features(self, guest): domcaps = guest.lookup_domcaps()