Setup ----- NOTE: My host processor is Intel(R) Xeon(R) CPU E5-2609 v3 @ 1.90GHz. it does *not* support Intel TSX: https://ark.intel.com/content/www/us/en/ark/products/81897/intel-xeon-processor-e5-2609-v3-15m-cache-1-90-ghz.html On my Compute "host" (a level-1 VM, with 'host-passthrugh'), I had my kernel built without TSX: $ grep INTEL_TSX_MODE_OFF /boot/config-5.10.13-100.fc32.x86_64 CONFIG_X86_INTEL_TSX_MODE_OFF=y Test-1: Enable PCID; disable SSBD ---------------------------------------------------- nova.conf configured with: [libvirt] cpu_models = Nehalem-IBRS cpu_model_extra_flags = +pcid,-ssbd cpu_mode = custom virt_type = kvm Resulting guest XML: [...] Nehalem-IBRS [...] ---------------------------------------------------- Test-: Disable SSBD; Enable PCID ---------------------------------------------------- nova.conf configurd with: [libvirt] cpu_models = Nehalem-IBRS cpu_model_extra_flags = -pcid,+ssbd live_migration_uri = qemu+ssh://stack@%s/system cpu_mode = custom virt_type = kvm Resulting guest XML: [...] Nehalem-IBRS [...] ---------------------------------------------------- Test-3: Enable PCID, SSBD, but disable TSX: ---------------------------------------------------- nova.conf was configured with: $ grep "\[libvirt\]" -A5 /etc/nova/nova-cpu.conf [libvirt] cpu_models = Nehalem-IBRS cpu_model_extra_flags = +pcid,ssbd,-hle,-rtm cpu_mode = custom virt_type = kvm And the guest correctly get PCID and SSBD flags; and do *not* show 'hle' or 'rtm' flags: $ sudo virsh dumpxml instance-00000001 Nehalem-IBRS NOTES: - We correctly see PCID and SSBD enabled for the guest - But NOT 'hle' or 'rtm' [root@taroxhost ~]# grep 'hle|rtm' /proc/cpuinfo [root@taroxhost ~]# ----------------------------------------------------