DomainCpu: fix detection of CPU security features

VM configured with mode="host-model" will have the CPU definition expanded once the VM is started. Libvirt will try to use the closest CPU model with some features enabled/disabled. The issue is that there are some models that include spec-ctrl or ibpb features and they will not appear in the explicit list of features and virt-manager will not correctly detect if all security features are enabled or not. As a workaround we can check the suffix of CPU model to figure out which security features are enabled by the model itself. Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2019-04-09 13:13:46 +02:00 · 2019-04-09 13:13:46 +02:00 · 291f2ef214
parent d7fed32947
commit 291f2ef214
1 changed files with 7 additions and 9 deletions
--- a/virtinst/domain/cpu.py
+++ b/virtinst/domain/cpu.py
@ -134,15 +134,13 @@ class DomainCpu(XMLBuilder):
            self.secure = False
            return

-        for feature in features:
-            exists = False
-            for f in self.features:
-                if f.name == feature and f.policy == "require":
-                    exists = True
-                    break
-            if not exists:
-                self.secure = False
-                return
+        guestFeatures = [f.name for f in self.features if f.policy == "require"]
+        if self.model.endswith("IBRS"):
+            guestFeatures.append("spec-ctrl")
+        if self.model.endswith("IBPB"):
+            guestFeatures.append("ibpb")
+
+        self.secure = set(features) <= set(guestFeatures)

    def _remove_security_features(self, guest):
        domcaps = guest.lookup_domcaps()