From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0BAFA9F991 for ; Fri, 9 Jun 2023 19:25:13 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id E0853315CF for ; Fri, 9 Jun 2023 19:25:12 +0200 (CEST) Received: from bastionodiso.odiso.net (bastionodiso.odiso.net [185.151.191.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 9 Jun 2023 19:25:10 +0200 (CEST) Received: from kvmformation3.odiso.net (formationkvm3.odiso.net [10.3.94.12]) by bastionodiso.odiso.net (Postfix) with ESMTP id 4D26080AD; Fri, 9 Jun 2023 19:25:03 +0200 (CEST) Received: by kvmformation3.odiso.net (Postfix, from userid 0) id 3D97930D63C; Fri, 9 Jun 2023 19:25:03 +0200 (CEST) From: Alexandre Derumier To: pve-devel@lists.proxmox.com Date: Fri, 9 Jun 2023 19:25:02 +0200 Message-Id: <20230609172502.1611757-1-aderumier@odiso.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.035 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy HEADER_FROM_DIFFERENT_DOMAINS 0.25 From and EnvelopeFrom 2nd level mail domains are different KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment KAM_LAZY_DOMAIN_SECURITY 1 Sending domain does not have any anti-forgery methods SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_NONE 0.001 SPF: sender does not publish an SPF Record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [gitlab.com, wikipedia.org] Subject: [pve-devel] [PATCH pve-docs] qemu: add cpu models documentation X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2023 17:25:13 -0000 add doc for differents cpu models including new x86-64-vX models Signed-off-by: Alexandre Derumier --- qm.adoc | 145 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 138 insertions(+), 7 deletions(-) diff --git a/qm.adoc b/qm.adoc index c6dc652..780634f 100644 --- a/qm.adoc +++ b/qm.adoc @@ -353,6 +353,9 @@ CPU Type QEMU can emulate a number different of *CPU types* from 486 to the latest Xeon processors. Each new processor generation adds new features, like hardware assisted 3d rendering, random number generation, memory protection, etc ... +Also, a current generation can be upgraded through microcode update with bugs +or security fixes. + Usually you should select for your VM a processor type which closely matches the CPU of the host system, as it means that the host CPU features (also called _CPU flags_ ) will be available in your VMs. If you want an exact match, you can set @@ -360,17 +363,145 @@ the CPU type to *host* in which case the VM will have exactly the same CPU flags as your host system. This has a downside though. If you want to do a live migration of VMs between -different hosts, your VM might end up on a new system with a different CPU type. +different hosts, your VM might end up on a new system with a different CPU type +or a different microcode. If the CPU flags passed to the guest are missing, the qemu process will stop. To -remedy this QEMU has also its own CPU type *kvm64*, that {pve} uses by defaults. -kvm64 is a Pentium 4 look a like CPU type, which has a reduced CPU flags set, -but is guaranteed to work everywhere. +remedy this QEMU has also its own virtual CPU types, that {pve} uses by defaults. + +Default is x86-64-v2-AES, compatible with Intel >= Westmere and Amd >= Opteron_G4 + +In short: -In short, if you care about live migration and moving VMs between nodes, leave -the kvm64 default. If you don’t care about live migration or have a homogeneous -cluster where all nodes have the same CPU, set the CPU type to host, as in +If you don’t care about live migration or have a homogeneous cluster where +all nodes have the same CPU and same microcode version, set the CPU type to host, as in theory this will give your guests maximum performance. +if you care about live migration and security, and you have only Intel CPU or only AMD CPU, +choose the lowest generation cpu model of your cluster. + +if you care about live migration without security, or have mixed intel/amd cluster, +choose the lowest compatible virtual qemu type. + +NOTE: Intel <> AMD migrations have no guarantee to work + + +Intel CPU Types since 2007 +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +https://en.wikipedia.org/wiki/List_of_Intel_Xeon_processors[Intel Processors] + +* 'Nahelem' : https://fr.wikipedia.org/wiki/Nehalem[1th generation of the Intel Core Processor] ++ +* 'Nahelem-IBRS (v2)' : add spectre (+spec-ctrl) ++ +* 'Westmere' : https://en.wikipedia.org/wiki/Westmere_(microarchitecture)[1th generation of the Intel Core Processor (Xeon E7-)] ++ +* 'Westmere-IBRS (v2)' : add spectre (+spec-ctrl) ++ +* 'SandyBridge' : https://fr.wikipedia.org/wiki/Sandy_Bridge[2th generation of the Intel Core Processor] ++ +* 'SandyBridge-IBRS (v2)' : add spectre v1 protection (+spec-ctrl) ++ +* 'IvyBridge' : https://en.wikipedia.org/wiki/Ivy_Bridge_(microarchitecture)[3th generation of the Intel Core Processor] ++ +* 'IvyBridge-IBRS (v2)': add spectre v1 protection (+spec-ctrl) ++ +* 'Haswell' : https://fr.wikipedia.org/wiki/Haswell_(microarchitecture)[4th generation of the Intel Core Processor] ++ +* 'Haswell-noTSX (v2)' : disable TSX (-hle,-rtm) ++ +* 'Haswell-IBRS (v3)' : readd TSX, add spectre (+hle,+rtm, +spec-ctrl) ++ +* 'Harwell-noTSX-IBRS (v4)' : disable TSX (-hle,-rtm) ++ +* 'Broadwell': https://en.wikipedia.org/wiki/Broadwell_(microarchitecture)[5th generation of the Intel Core Processor] ++ +* 'Skylake': https://en.wikipedia.org/wiki/Skylake_(microarchitecture)[1st generation Xeon Scalable server processors] ++ +* 'Skylake-IBRS (v2)' : add +spec-ctrl,-clflushopt ++ +* 'Skylake-noTSX-IBRS (v3)' : disable TSX (-hle, -rtm) ++ +* 'Skylake-v4': add EPT switching (+vmx-eptp-switching) ++ +* 'Cascadelake': https://en.wikipedia.org/wiki/Cascade_Lake_(microprocessor)[2nd generation Xeon scalable processor] ++ +* 'Cascadelake-v2' : add arch_capabilities msr (+arch-capabilities,+rdctl-no,+ibrs-all,+skip-l1dfl-vmentry,+mds-no) ++ +* 'Cascadelake-v3' : disable TSX (-hle, -rtm) ++ +* 'Cascadelake-v4' : add EPT switching (+vmx-eptp-switching) ++ +* 'Cascadelake-v5' : add XSAVES (+xsaves,+vmx-xsaves) ++ +* 'CooperLake' : https://en.wikipedia.org/wiki/Cooper_Lake_(microprocessor)[3rd generation Xeon scalable processors for 4 & 8 sockets servers] ++ +* 'CooperLake-v2' : add XSAVES (+xsaves,+vmx-xsaves) ++ +* 'IceLake': https://en.wikipedia.org/wiki/Ice_Lake_(microprocessor)[3rd generation Xeon Scalable server processors] ++ +* 'Icelake-v2' : disable TSX(-hle,-rtm) ++ +* 'Icelake-v3' : add arch_capabilities msr (+arch-capabilities, +rdctl-no, +ibrs-all, +skip-l1dfl-vmentry,+mds-no,+pschange-mc-no,+taa-no) ++ +* 'Icelake-v4' : add missing flags (+sha-ni,+avx512ifma,+rdpid,+fsrm,+vmx-rdseed-exit,+vmx-pml,+vmx-eptp-switching) ++ +* 'Icelake-v5' : add XSAVES (+xsaves,+vmx-xsaves) ++ +* 'Icelake-v6' : add "5-level EPT" (+vmx-page-walk-5) ++ +* 'Sapphire Rapids' : https://en.wikipedia.org/wiki/Sapphire_Rapids[4th generation Xeon Scalable server processors] + +AMD CPU Types since 2007 +^^^^^^^^^^^^^^^^^^^^^^^^ + +https://en.wikipedia.org/wiki/List_of_AMD_processors[AMD Processors] + +* 'Opteron_G3' : https://en.wikipedia.org/wiki/AMD_10h[K10] ++ +* 'Opteron_G4' : https://en.wikipedia.org/wiki/Bulldozer_(microarchitecture)[Bulldozer] ++ +* 'Opteron_G5' : https://en.wikipedia.org/wiki/Piledriver_(microarchitecture)[Piledriver] ++ +* 'EPYC' : https://en.wikipedia.org/wiki/Zen_(first_generation)[1st Generation of Zen Processors] ++ +* 'EPYC-IBPB (v2)' : add spectre v1 protection (+ibpb) ++ +* 'EPYC-v3' : add missing flags (+perfctr-core,+clzero,+xsaveerptr,+xsaves) ++ +* 'EPYC-Rome' : https://en.wikipedia.org/wiki/Zen_2[2nd Generation of Zen Processors] ++ +* 'EPYC-Rome-v2' : add spectre v2,v4 protection (+ibrs,+amd-ssbd) ++ +* 'EPYC-Milan' : https://en.wikipedia.org/wiki/Zen_3[3th Generation of Zen Processors] ++ +* 'EPYC-Milan-v2' : add missing flags (+vaes,+vpclmulqdq,+stibp-always-on,+amd-psfd,+no-nested-data-bp,+lfence-always-serializing,+null-sel-clr-base + +Qemu CPU Types +^^^^^^^^^^^^^^ + +Qemu also provide virtual cpu types, compatible with both intel/amd. + +NOTE: To keep best compatibility, no security flag for spectre/meltdown/... exist in qemu virtual types, so you need to do it manually + +Historically, Proxmox had the kvm64 cpu model, with only pentium4 cpu flags enabled, so performance was not great for some workload. + +In the summer of 2020, AMD, Intel, Red Hat, and SUSE collaborated to define three x86-64 microarchitecture levels on top of the x86-64 baseline, +with modern flags enabled. https://gitlab.com/x86-psABIs/x86-64-ABI[x86-64-ABI specs] + +Some newer distro like Centos9 are now built with x86-64-v2 flags as minimum requirement ! + + +* 'kvm64 (v1)' : Compatible >=pentium4 , >= phenom ++ +* 'x86-64-v2' : Compatible >= Nehalem, >= Opteron_G4. add cx16,lahf-lm,popcnt,pni,sse4.1,sse4.2,ssse3 ++ +* 'x86-64-v2-AES' : Compatible >= Westmere, >= Opteron_G4 : add aes ++ +* 'x86-64-v3' : Compatible >= Broadwell, >= Epyc : add +avx,+avx2,+bmi1,+bmi2,+f16c,+fma,+movbe,xsave ++ +* 'x86-64-v4' : Compatible >= Skylake , >= EPYC-Genoa(V4) : add +avx512f, +avx512bw, +avx512cd,+avx512dq,+avx512vl + Custom CPU Types ^^^^^^^^^^^^^^^^ -- 2.30.2