On Fri, Jun 29, 2018 at 11:19:17AM +0100, Daniel P. Berrangé wrote:
On Fri, Jun 29, 2018 at 09:53:53AM +0100, Dr. David Alan Gilbert wrote: [...]
We're going to have to say something like: 'For the new XYZ vulnerability make sure you're using Haswell-3.2 or later, SkyLake-2.6 or later, Westmere-4.8 or later .....'
which all gets a bit confusing.
The kernel has a /sys/devices/system/cpu/vulnerabilities dir that lists status of various flaws.
I have been thinking about whether libvirt should create a 'virt-guest-validate' command that looks at guest XML and reports whether any of the config settings are vulnerable or otherwise diverging from best practice in some way.
QEMU itself would perhaps have a 'query-vulnerabilities' monitor command to report whether the current config is satisfactory or not.
Makes sense to me. I wanted to make QEMU emit warnings on obviously insecure configurations. Adding a query-vulnerabilities command would be the QMP counterpart of that. -- Eduardo