VIRTUALIZATION
-
QEMU HW mitigations support (ARCH_CAPABILITIES)
LP: #1828495 | PPA: #1828495 | MERGE: #1828495
Backported ARCH_CAPABILITIES MSR to QEMU 3.1 (Ubuntu Disco, this time). Based on @paelzer’s review on my Bionic patches. PPA is good for testing if anyone is interested.
With this features, guest can now report not being susceptible to a specific side-channel vulnerability. For this particular case, by supporting IA32_ARCH_CAPABILITIES MSR we are able to provide the same MSR to a KVM/QEMU guest, informing its kernel about HW support for:
- IBRS_ALL (enhanced IBRS support)
- SKIP_L1DFL_VMENTRY (L1D flush is needed on VMENTRY)
- RDCL_NO (HW is vulnerable to Rogue Data Cache Load)
- Foreshadow-NG (OS) vuln. (L1 terminal fault, OS)
- Foreshadow-NG (VMM) vuln. (L1 terminal fault, VMM)
and making it to take better decisions on which mitigation to use, if one is needed (leveraging guest performance for those CPUs).
- Libvirt support for {Ice,Cascade}Lake CPUs might be needed now.
- Still waiting on some more requests from Intel (might be to enable features by default, might be to add Cascade Lake v2, I’ll inform here next week).
- Reviewed @paelzer’s QEMU ppc backports on count cache flush Spectre v2 mitigation (CVE) (check his reply for this topic).
UBUNTU HA
-
Corosync and Redundant Rings - The Totem Protocol Explained
I published an article I have written not too long ago, explaining how to get redundant rings in corosync and what to expect from configuration option changes. -
CTDB NFS HA Enablement
LP: #722201 | DOC: #722201 | PPA: #722201 | MR: #722201
Enabling Samba CTDB for NFS HA: @ahasenack provided me good feedback on documentation and how the patch should be organized for a better maintenance. I have made modifications and provided a documentation (in discourse) on how to use this new package (from PPA right now).