New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
LowEndTalk's 15th Birthday Is This Saturday! Who's Doing a Special Offer?
This discussion has been closed.
Comments
Nesting and AES can be enabled without setting to Host and passing directly through with risks. The only thing I'm still curious about is VT-x which I've found out now apparently setting it to Skylake or similar should provide. Or something as close to the host CPU as possible. I'll try it later and if all works out, I can enable it without setting to Host.
AES is actually enabled already by default on the x86-64-AES-v2 that is enabled by default.
Yes, some CPU features like AVX and AES can be enabled but not nested virtualization (at least I've never seen it).
See last comment - it can indeed. Even in LXC you can enable nested. Definitely is possible. Just was asking here about the VT-x flag because I've never tried and maybe someone else already knew what to set it to. But I guess Google is your friend lol 😂 Skylake or CPU closest to Host will allow it. And under Options set AMD/VT-x enabled.
Am I reading the docs wrong? To me it’s just saying pass through passes the exact model and features through, not that it doesn’t virtualize a cpu. - in fact it quite literally states it may strip out features that can’t be virtualized.
“Host passthrough
This passes the host CPU model features, model, stepping, exactly to the guest. Note that KVM may filter out some host CPU model features if they cannot be supported with virtualization. Live migration is unsafe when this mode is used as libvirt / QEMU cannot guarantee a stable CPU is exposed to the guest across hosts. This is the recommended CPU to use, provided live migration is not required.”
Not sure. It doesn't say that it does or doesn't make virtual driver and all. I've read before about it and seems it passes it entirely straight through. They really should document it better.
Here's chatgpt's take without special promoting or asking it to lean one way or the other (unbiased as possible) simple asked "Proxmox CPU set to host security risks?" So that it could have said no risk really, etc but it did not definitely say that - complete opposite...
https://chatgpt.com/share/6874e3f7-5184-800f-a5ca-6bf7c6887319
To quote the most worrying part: "which could aid in hypervisor escape or targeted attacks."
Yes host pass through or not, it still provides hardware-based isolation using VT-x/AMD-V. The thought is, passing all CPU features through can increase the attack surface if there are unpatched CPU vulnerabilities (Spectre, Meltdown, etc.). With a properly updated system this would be pretty rare but anything is possible!
Makes sense. Similar to what chatgpt said in the thread I posted asking it. Especially I guess on our Albania server would be bad as the entire system is out of support today - so it doesn't get security updates (host specs published on LEB threads, but yeah) so for us and I'm sure a lot of hosts that don't have this year's latest servers (how can you blame us at the prices we charge here lol) because we'd rather own than rent our servers most of the time, it would be a massive security risk to put Host processor on there.
Link to specific CVEs needed - it's not a simple as just "grabbing" the CPU from a host process.
That's also not how it works. The CPU setting in qemu affects what the cpuid instruction returns, but other than that, the VPS runs the same way on the CPU.
GB4 and GB5 result added:
Thanks mate. That even changed the AI "analyse these results" outlook.
After sending it both, it added comment on GB6 (harsh rating, not fully reflective). Interesting.
Ha...no, I just lay it out for y'all to play it out.
I'm a bit overstocked on LEBs at the moment. Need to rotate a few.
Can anyone provide a good "I have a lot of things idling" gif?
I think you're wrong here. Host passthrough only sets the CPU model name and some properties (like features/flags and frequency), there's no difference in the virtualization itself (see https://raw.githubusercontent.com/qemu/qemu/refs/heads/master/target/i386/host-cpu.c vs https://github.com/qemu/qemu/blob/master/target/i386/cpu.c, it only sets some values). KVM/qemu (independent of if it's kernel/hardware or userspace virtualization) will always create a virtual CPU/processor, there's no bypassing of the virtualization just by enabling host passthrough.
Even the qemu docs (https://www.qemu.org/docs/master/system/i386/cpu.html) recommend using host passthrough. The only disadvantage is that live migrating VMs becomes unsafe or, if migrating between different CPUs, impossible.
Yes, there were and probably still are a lot of vulnerabilities allowing to escape from VMs, but this isn't directly related to host passthrough (yes, disabling features will make the attack surface smaller, but this is independant from using host passthrough: one can enable/disable features with any CPU model.).
Regarding VT-x/nested virtualization: there have been problems with Ryzen CPUs IIRC (not security related, they were just crashing IIRC), and while generally (like with every feature) the attack surface gets larger if you enable more features, it AFAIK isn't generally unsafe or risky (I don't know about your CPU though, as that is quite old (14 years), there might be (or most likely are) some security vulnerabilities).
Hopefully I misunderstood this. If your hypervisor doesn't get updated then you have bigger issues than what model you use in QEMU
Thanks for that. I can accept when I am wrong. Apologies. You have provided code that does seem to point it to still virtualizing but passing a lot of features through that most security forums seem to consider unsafe for a guest untrusted environment to have access to.
And yes - my thought process is exactly that - disable as many features as possible while allowing all the common uses. Things that guests shouldn't have access to. Because it definitely decreased the attack surface. Especially on older systems like ours.
You definitely misunderstood. Software is updated. Was referring to CPU support. It isn't maintained by intel anymore so they aren't testing for or patching cpu vulnerability. I would say that is true of 99% of CPUs in use on servers today. Intel support cycle is VERY short. Servers today run for 20+ years in production. Longer if refurbished like ours is (all major failure points like PSU, FANS, CPUs, RAM, Caps on board, etc replaced with modern / newer ones that are compatible). Only the most expensive of servers are running the latest and greatest processors. And those are at a disadvantage when they have the new i9 E-Cores. For example a friend of mine asked yesterday on discord why is their CPU crap compared to the server one when is way newer. Their CPU was using e-cores in virtualization...
E-cores suck! Luckily, Intel has recently released some P-core only high core count server CPU's like the Intel Xeon 6900P which may finally be able to compete with AMD EPYC.
Let's hope so. Until the whole e-cores thing dies, people will continue using older boards and chips because they perform better in server environments or where virtualization, gaming, etc is being done.
Tbh it was the stupidest thing they've ever done. And I've heard AMD and others are also doing things like this.
I know it's to cut down on costs and let them add AI chips and so on. But damn - let the people have their cores lol 😂
Hello,
If you have any questions about our services, please contact us. We're here to help.
Thank you very much for your kind words
We work every day to continue offering good service to our customers
VPS 15 TH LET TINY yabs possible?
Sure, I sent him a message.
Before I put my order, this is not overselling right?
For India vps its guaranteed service
We own the hardware so no overloading issue for sure.
Can you send me 50% off discount code as a message also, please? Thanks
Here is 16 vCPU @HostDZire YABS. For my needs it's very good
Hello,
We only have these promotions available
VPS 15 TH LET TINY
RYZEN 9950X
1 vCPU Cores
2 GB DDR5 RAM
30 GB NVMe Storage
2 4 TB Monthly Transfer
1 IPv4/v6 Included
Multiple Locations
Anti-DDoS Protection
Price: 25.00$ year
https://dash.nohavps.com/store/vps/vps-let-15-th
VPS 15 TH LET SMALL
RYZEN 9950X
2 vCPU Cores
4 GB DDR5 RAM
60 GB NVMe Storage
4 8 TB Monthly Transfer
1 IPv4/v6 Included
Multiple Locations
Anti-DDoS Protection
Price: 50.00$ year
https://dash.nohavps.com/store/vps/vps-15-th-let-small
50% off coupon that works in either of those deals would be OK with me
we need special treatment.
& a
nice slice of cake
Coupon for $7/year would work too.
no Problem
noha does a good Zimb nohavps
Boing