proxmox-mirrors/pve-docs
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-docs synced 2025-06-23 08:17:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

minor cleanups, typo and whitespace fixes

Browse Source 
Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
This commit is contained in:
Wolfgang Bumiller 2018-10-01 10:41:37 +02:00
parent 2975cb7a5d
commit 144d5edebe
1 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
qm.adoc
View File

@ -335,7 +335,7 @@ To check if the {pve} host is vulnerable, execute the following command as root:
for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done for f in /sys/devices/system/cpu/vulnerabilities/*; do echo "${f##*/} -" $(cat "$f"); done
---- ----
A community script is also avalaible to detect is the host is still vulnerable. A community script is also available to detect is the host is still vulnerable.
footnote:[spectre-meltdown-checker https://meltdown.ovh/] footnote:[spectre-meltdown-checker https://meltdown.ovh/]
Intel processors Intel processors
@ -343,7 +343,7 @@ Intel processors
* 'pcid' * 'pcid'
+ +
This reduce the performance impact of the Meltdown (CVE-2017-5754) mitigation This reduces the performance impact of the Meltdown (CVE-2017-5754) mitigation
called 'Kernel Page-Table Isolation (KPTI)', which effectively hides called 'Kernel Page-Table Isolation (KPTI)', which effectively hides
the Kernel memory from the user space. Without PCID, KPTI is quite an expensive the Kernel memory from the user space. Without PCID, KPTI is quite an expensive
mechanism footnote:[PCID is now a critical performance/security feature on x86 mechanism footnote:[PCID is now a critical performance/security feature on x86
@ -363,13 +363,13 @@ Required to enable the Spectre v1 (CVE-2017-5753) and Spectre v2 (CVE-2017-5715)
in cases where retpolines are not sufficient. in cases where retpolines are not sufficient.
Included by default in Intel CPU models with -IBRS suffix. Included by default in Intel CPU models with -IBRS suffix.
Must be explicitly turned on for Intel CPU models without -IBRS suffix. Must be explicitly turned on for Intel CPU models without -IBRS suffix.
Requires the host CPU microcode (intel-microcode >= 20180425). Requires an updated host CPU microcode (intel-microcode >= 20180425).
+ +
* 'ssbd' * 'ssbd'
+ +
Required to enable the Spectre V4 (CVE-2018-3639) fix. Not included by default in any Intel CPU model. Required to enable the Spectre V4 (CVE-2018-3639) fix. Not included by default in any Intel CPU model.
Must be explicitly turned on for all Intel CPU models. Must be explicitly turned on for all Intel CPU models.
Requires the host CPU microcode(intel-microcode >= 20180703). Requires an updated host CPU microcode(intel-microcode >= 20180703).
AMD processors AMD processors
@ -391,15 +391,15 @@ Required to enable the Spectre v4 (CVE-2018-3639) fix.
Not included by default in any AMD CPU model. Not included by default in any AMD CPU model.
Must be explicitly turned on for all AMD CPU models. Must be explicitly turned on for all AMD CPU models.
This should be provided to guests, even if amd-ssbd is also provided, for maximum guest compatibility. This should be provided to guests, even if amd-ssbd is also provided, for maximum guest compatibility.
Note for some QEMU / libvirt versions, this must be force enabled when when using "Host model", Note that this must be explicitly enabled when when using the "host" cpu model,
because this is a virtual feature that doesnt exist in the physical host CPUs. because this is a virtual feature which does not exist in the physical CPUs.
* 'amd-ssbd' * 'amd-ssbd'
+ +
Required to enable the Spectre v4 (CVE-2018-3639) fix. Required to enable the Spectre v4 (CVE-2018-3639) fix.
Not included by default in any AMD CPU model. Must be explicitly turned on for all AMD CPU models. Not included by default in any AMD CPU model. Must be explicitly turned on for all AMD CPU models.
This provides higher performance than virt-ssbd so should be exposed to guests whenever available in the host. This provides higher performance than virt-ssbd, therefore a host supporting this should always expose this to guests if possible.
virt-ssbd should none the less also be exposed for maximum guest compatibility as some kernels only know about virt-ssbd. virt-ssbd should none the less also be exposed for maximum guest compatibility as some kernels only know about virt-ssbd.