Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

engine: Remove taa-no from Secure Skylake Server #837

Merged
merged 1 commit into from
Apr 21, 2023
Merged

engine: Remove taa-no from Secure Skylake Server #837

merged 1 commit into from
Apr 21, 2023

Conversation

ljelinkova
Copy link
Contributor

@ljelinkova ljelinkova commented Apr 20, 2023
edited by ahadas
Loading

The host with Secure Intel Icelake Server Family become non operational because it does not provide "taa-no" CPU feature even though the following command indicates that the host is not vulnerable.

cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort 
Not affected

It is possible that this flag is not reported on systems that are not vulnerable anymore. We disable TSX in our CPU definition (we use Icelake-Server-noTSX) so it is not a security risk if we leave the requirement for "taa-no" CPU feature.

Bug-Url: https://bugzilla.redhat.com/2184623

@ljelinkova
engine: Remove taa-no from Secure Skylake Server
db7480d 
The host with Secure Intel Icelake Server Family become non operational
because it does not provide "taa-no" CPU feature even though the
following command indicates that the host is not vulnerable.

cat /sys/devices/system/cpu/vulnerabilities/tsx_async_abort
Not affected

It is possible that this flag is not reported on systems that
are not vulnerable anymore. We disable TSX in our CPU definition
(we use Icelake-Server-noTSX) so it is not a security risk if we leave
the requirement for "taa-no" CPU feature.

Bug-Url: https://github.com/oVirt/ovirt-engine/issues/2184623
Signed-off-by: Lucia Jelinkova <[email protected]>
@michalskrivanek
Copy link
Member

it's not ideal to remove things for the odd case of someone explicitly enabling tsx and relying on taa. but it's IMHO such a corner case that it's not worth extra effort

@michalskrivanek
Copy link
Member

LGTM

@michalskrivanek
Copy link
Member

/ost

@michalskrivanek michalskrivanek merged commit 78bdb2c into oVirt:master Apr 21, 2023
@Klaas-
Copy link

Klaas- commented Apr 25, 2023

I am guessing you meant to link https://bugzilla.redhat.com/show_bug.cgi?id=2184623 :)

ahadas
ahadas reviewed Apr 30, 2023
View reviewed changes
Copy link
Member

@ahadas ahadas left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was enough to change the 'fn_db_update_config_value' parts (for the backport..)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ahadas ahadas ahadas left review comments

@michalskrivanek michalskrivanek Awaiting requested review from michalskrivanek

@emesika emesika Awaiting requested review from emesika emesika is a code owner

@mwperina mwperina Awaiting requested review from mwperina mwperina is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ljelinkova @michalskrivanek @Klaas- @ahadas