Re: [libvirt] [Qemu-devel] CPU model versioning separate from machine type versioning ?

On Fri, Jun 29, 2018 at 09:53:53AM +0100, Dr. David Alan Gilbert wrote:

> We're going to have to say something like: > 'For the new XYZ vulnerability make sure you're using > Haswell-3.2 or later, SkyLake-2.6 or later, Westmere-4.8 or later > .....' > > which all gets a bit confusing. The kernel has a /sys/devices/system/cpu/vulnerabilities dir that lists status of various flaws. I have been thinking about whether libvirt should create a 'virt-guest-validate' command that looks at guest XML and reports whether any of the config settings are vulnerable or otherwise diverging from best practice in some way. QEMU itself would perhaps have a 'query-vulnerabilities' monitor command to report whether the current config is satisfactory or not.