domcapabilities: remove recommended CPU features from security features

These features are only recommended to be enabled since they improve performance of the VMs if security features are enabled. pcid is a very useful perf feature, but missing in some silicon so not portable. pdpe1gb lets the guest use 1 GB pages which is good for perf but again not all silicon can do it. amd-ssbd is a security feature which fixes the same SSBD flaws as the virt-ssbd feature does. virt-ssbd is usable across all CPU models affected by SSBD, while amd-ssbd is only available in very new silicon. So virt-ssbd is the bette rchoice. amd-no-ssb just indicates that the CPU is not affected by SSBD, so not critical to expose. I expect a future named CPU model will include that where appropriate. Signed-off-by: Pavel Hrdina <phrdina@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-03-29 10:22:08 +01:00 · 2019-03-29 10:22:08 +01:00 · 29f815fbd2
parent c6b5f22fa6
commit 29f815fbd2
3 changed files with 1 additions and 11 deletions
--- a/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
+++ b/tests/cli-test-xml/compare/virt-install-qemu-plain.xml
@ -20,8 +20,6 @@
  </features>
  <cpu mode="custom" match="exact">
    <model>Penryn</model>
-    <feature policy="require" name="pcid"/>
-    <feature policy="require" name="pdpe1gb"/>
  </cpu>
  <clock offset="utc">
    <timer name="rtc" tickpolicy="catchup"/>
--- a/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
+++ b/tests/cli-test-xml/compare/virt-install-singleton-config-2.xml
@ -94,8 +94,6 @@
    <model>foobar</model>
    <vendor>meee</vendor>
    <topology sockets="2" cores="2" threads="2"/>
-    <feature policy="require" name="pcid"/>
-    <feature policy="require" name="pdpe1gb"/>
    <feature policy="force" name="x2apic"/>
    <feature policy="force" name="x2apicagain"/>
    <feature policy="require" name="reqtest"/>
@ -291,8 +289,6 @@
    <model>foobar</model>
    <vendor>meee</vendor>
    <topology sockets="2" cores="2" threads="2"/>
-    <feature policy="require" name="pcid"/>
-    <feature policy="require" name="pdpe1gb"/>
    <feature policy="force" name="x2apic"/>
    <feature policy="force" name="x2apicagain"/>
    <feature policy="require" name="reqtest"/>
--- a/virtinst/domcapabilities.py
+++ b/virtinst/domcapabilities.py
@ -274,14 +274,10 @@ class DomainCapabilities(XMLBuilder):

    def get_cpu_security_features(self):
        sec_features = [
-                'pcid',
                'spec-ctrl',
                'ssbd',
-                'pdpe1gb',
                'ibpb',
-                'virt-ssbd',
-                'amd-ssbd',
-                'amd-no-ssb']
+                'virt-ssbd']

        features = []