Univention Bugzilla – Bug 49712
Pass CPU microcode features for mitigation
Last modified: 2023-06-28 10:46:00 CEST
Intel (and AMD) CPUs have several architectural flaws, which were patched by several microcode updates in the past: - Spectre - Meltdown - Foreshadow / L1 Terminal Fault - Microarchitectural Data Sampling We already have updated the microcode-update-packages in UCS, patched the Linux kernel to use it, shipped updated Qemu packages allowing to pass through those new features, and finally shipped an updated libvirt to enable it per VM. Enabling new microcode features is a backward incompatible change, which is is visible to the VM and modifies the CPU save state: VM with those features enabled MUST NOT be migrated to hosts missing the updated packages. As such those features are not enabled by default and must be enabled manually. UVMM needs to be extended to at least allow configuring those features. As the set of features depends on the exact CPU model, Bug #49695 needs to be addressed first.
UVMM and virtualization with UCS is deprecated and will no longer be developed in UCS 4.4; they have already been removed from UCS 5.0.