<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>That cpu is X5690. That is Westmere class. We have a number of
those doing 'meatball' application loads that don't need the
latest greatest cpu.<br>
</p>
<p>I do not yet believe the Microcode fix for Westmere is out yet
and it may never be.<br>
</p>
<p>Intel has, so far, promised fixes for Haswell or better (i.e.
CPUs from the last 5 years) with a vague mention of other cpus on
a 'customer' need basis. <br>
</p>
<p>Westmere is circa 2010 and came out before Sandy/Ivy Bridge so we
don't know when or if they will be fixed, but probably only after
the Sandy/Ivy Bridges get theirs.<br>
</p>
-wk<br>
<br>
<p><br>
</p>
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 1/26/2018 1:50 AM, Gianluca Cecchi
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAG2kNCzASMzOjhoRKbLHvK4HTh1JAjZN29-EV-m1De1L9QAzOw@mail.gmail.com">
<meta http-equiv="Context-Type" content="text/html; charset=UTF-8">
<div dir="ltr">Hello,
<div>nice to see integration of Spectre-Meltdown info in 4.1.9,
both for guests and hosts, as detailed in release notes:</div>
<div><br>
</div>
<div>I have upgraded my CentOS 7.4 engine VM (outside of oVirt
cluster) and one oVirt host to 4.1.9.</div>
<div><br>
</div>
<div>Now in General -> Software subtab of the host I see:</div>
<div><br>
</div>
<div>
<div class="gmail-row">
<div class="gmail-col-md-12">
<div class="gmail-row">
<div class="gmail-col-md-2">
<div class="gmail-GKIIXFICABD"
id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row0_label">OS
Version: RHEL - 7 - 4.1708.el7.centos</div>
</div>
</div>
</div>
</div>
<div class="gmail-row">
<div class="gmail-col-md-12">
<div class="gmail-row">
<div class="gmail-col-md-2">
<div class="gmail-GKIIXFICABD"
id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row1_label">OS
Description: CentOS Linux 7 (Core)</div>
</div>
</div>
</div>
</div>
<div class="gmail-row">
<div class="gmail-col-md-12">
<div class="gmail-row">
<div class="gmail-col-md-2">
<div class="gmail-GKIIXFICABD"
id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row2_label">Kernel
Version: 3.10.0 - 693.17.1.el7.x86_64</div>
</div>
</div>
</div>
</div>
</div>
<div>
<div class="gmail-row">
<div class="gmail-col-md-12">
<div class="gmail-row">
<div class="gmail-col-md-2">
<div class="gmail-GKIIXFICABD"
id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row9_label">Kernel
Features: IBRS: 0, PTI: 1, IBPB: 0</div>
</div>
</div>
</div>
</div>
<br>
</div>
<div>Am I supposed to manually set any particular value?</div>
<div><br>
</div>
<div>If I run version 0.32 (updated yesterday)
of spectre-meltdown-checker.sh I got this on my Dell M610
blade with </div>
<div><br>
</div>
<div>
<div> Version: 6.4.0</div>
<div> Release Date: 07/18/2013</div>
</div>
<div><br>
</div>
<div>
<div>[root@ov200 ~]#
/home/g.cecchi/spectre-meltdown-checker.sh </div>
<div>Spectre and Meltdown mitigation detection tool v0.32</div>
<div><br>
</div>
<div>Checking for vulnerabilities on current system</div>
<div>Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan
25 20:13:58 UTC 2018 x86_64</div>
<div>CPU is Intel(R) Xeon(R) CPU X5690 @ 3.47GHz</div>
<div><br>
</div>
<div>Hardware check</div>
<div>* Hardware support (CPU microcode) for mitigation
techniques</div>
<div> * Indirect Branch Restricted Speculation (IBRS)</div>
<div> * SPEC_CTRL MSR is available: NO </div>
<div> * CPU indicates IBRS capability: NO </div>
<div> * Indirect Branch Prediction Barrier (IBPB)</div>
<div> * PRED_CMD MSR is available: NO </div>
<div> * CPU indicates IBPB capability: NO </div>
<div> * Single Thread Indirect Branch Predictors (STIBP)</div>
<div> * SPEC_CTRL MSR is available: NO </div>
<div> * CPU indicates STIBP capability: NO </div>
<div> * Enhanced IBRS (IBRS_ALL)</div>
<div> * CPU indicates ARCH_CAPABILITIES MSR availability:
NO </div>
<div> * ARCH_CAPABILITIES MSR advertises IBRS_ALL
capability: NO </div>
<div> * CPU explicitly indicates not being vulnerable to
Meltdown (RDCL_NO): NO </div>
<div>* CPU vulnerability to the three speculative execution
attacks variants</div>
<div> * Vulnerable to Variant 1: YES </div>
<div> * Vulnerable to Variant 2: YES </div>
<div> * Vulnerable to Variant 3: YES </div>
<div><br>
</div>
<div>CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant
1'</div>
<div>* Checking count of LFENCE opcodes in kernel: YES </div>
<div>> STATUS: NOT VULNERABLE (107 opcodes found, which
is >= 70, heuristic to be improved when official patches
become available)</div>
<div><br>
</div>
<div>CVE-2017-5715 [branch target injection] aka 'Spectre
Variant 2'</div>
<div>* Mitigation 1</div>
<div> * Kernel is compiled with IBRS/IBPB support: YES </div>
<div> * Currently enabled features</div>
<div> * IBRS enabled for Kernel space: NO (echo 1 >
/sys/kernel/debug/x86/ibrs_enabled)</div>
<div> * IBRS enabled for User space: NO (echo 2 >
/sys/kernel/debug/x86/ibrs_enabled)</div>
<div> * IBPB enabled: NO (echo 1 >
/sys/kernel/debug/x86/ibpb_enabled)</div>
<div>* Mitigation 2</div>
<div> * Kernel compiled with retpoline option: NO </div>
<div> * Kernel compiled with a retpoline-aware compiler: NO </div>
<div> * Retpoline enabled: NO </div>
<div>> STATUS: VULNERABLE (IBRS hardware + kernel support
OR kernel with retpoline are needed to mitigate the
vulnerability)</div>
<div><br>
</div>
<div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka
'Variant 3'</div>
<div>* Kernel supports Page Table Isolation (PTI): YES </div>
<div>* PTI enabled and active: YES </div>
<div>* Running as a Xen PV DomU: NO </div>
<div>> STATUS: NOT VULNERABLE (PTI mitigates the
vulnerability)</div>
<div><br>
</div>
<div>A false sense of security is worse than no security at
all, see --disclaimer</div>
<div>[root@ov200 ~]# </div>
</div>
<div><br>
</div>
<div>So it seems I'm still vulnerable only to Variant 2, but
kernel seems ok:</div>
<div><br>
</div>
<div><span> * Kernel is compiled with IBRS/IBPB support: YES </span><br>
</div>
<div><span><br>
</span></div>
<div>while bios not, correct?</div>
<div><br>
</div>
<div>Is RH EL / CentOS expected to follow the retpoline option
too, to mitigate Variant 2, as done by Fedora for example?</div>
<div><br>
</div>
<div>Eg on my just updated Fedora 27 laptop I get now:</div>
<div><br>
</div>
<div>
<div>[g.cecchi@ope46 spectre_meltdown]$ sudo
./spectre-meltdown-checker.sh</div>
<div>[sudo] password for g.cecchi: </div>
<div>Spectre and Meltdown mitigation detection tool v0.32</div>
<div><br>
</div>
<div>Checking for vulnerabilities on current system</div>
<div>Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19
13:19:54 UTC 2018 x86_64</div>
<div>CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz</div>
<div><br>
</div>
<div>Hardware check</div>
<div>* Hardware support (CPU microcode) for mitigation
techniques</div>
<div> * Indirect Branch Restricted Speculation (IBRS)</div>
<div> * SPEC_CTRL MSR is available: NO </div>
<div> * CPU indicates IBRS capability: NO </div>
<div> * Indirect Branch Prediction Barrier (IBPB)</div>
<div> * PRED_CMD MSR is available: NO </div>
<div> * CPU indicates IBPB capability: NO </div>
<div> * Single Thread Indirect Branch Predictors (STIBP)</div>
<div> * SPEC_CTRL MSR is available: NO </div>
<div> * CPU indicates STIBP capability: NO </div>
<div> * Enhanced IBRS (IBRS_ALL)</div>
<div> * CPU indicates ARCH_CAPABILITIES MSR availability:
NO </div>
<div> * ARCH_CAPABILITIES MSR advertises IBRS_ALL
capability: NO </div>
<div> * CPU explicitly indicates not being vulnerable to
Meltdown (RDCL_NO): NO </div>
<div>* CPU vulnerability to the three speculative execution
attacks variants</div>
<div> * Vulnerable to Variant 1: YES </div>
<div> * Vulnerable to Variant 2: YES </div>
<div> * Vulnerable to Variant 3: YES </div>
<div><br>
</div>
<div>CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant
1'</div>
<div>* Mitigated according to the /sys interface: NO (kernel
confirms your system is vulnerable)</div>
<div>> STATUS: VULNERABLE (Vulnerable)</div>
<div><br>
</div>
<div>CVE-2017-5715 [branch target injection] aka 'Spectre
Variant 2'</div>
<div>* Mitigated according to the /sys interface: YES
(kernel confirms that the mitigation is active)</div>
<div>* Mitigation 1</div>
<div> * Kernel is compiled with IBRS/IBPB support: NO </div>
<div> * Currently enabled features</div>
<div> * IBRS enabled for Kernel space: NO </div>
<div> * IBRS enabled for User space: NO </div>
<div> * IBPB enabled: NO </div>
<div>* Mitigation 2</div>
<div> * Kernel compiled with retpoline option: YES </div>
<div> * Kernel compiled with a retpoline-aware compiler:
YES (kernel reports full retpoline compilation)</div>
<div> * Retpoline enabled: YES </div>
<div>> STATUS: NOT VULNERABLE (Mitigation: Full generic
retpoline)</div>
<div><br>
</div>
<div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka
'Variant 3'</div>
<div>* Mitigated according to the /sys interface: YES
(kernel confirms that the mitigation is active)</div>
<div>* Kernel supports Page Table Isolation (PTI): YES </div>
<div>* PTI enabled and active: YES </div>
<div>* Running as a Xen PV DomU: NO </div>
<div>> STATUS: NOT VULNERABLE (Mitigation: PTI)</div>
<div><br>
</div>
<div>A false sense of security is worse than no security at
all, see --disclaimer</div>
<div>[g.cecchi@ope46 spectre_meltdown]$</div>
</div>
<div><br>
</div>
<div>BTW: I updated some days ago this laptop from F26 to F27
and I remember Variant 1 was fixed in F26, while now I see it
as vulnerable..... I'm going to check with Fedora mailing list
about this...</div>
<div><br>
</div>
<div>Another question: what should I see for a VM instead
related to meltdown/spectre?</div>
<div>Currently in "Guest CPU Type" in General subtab of the VM I
only see "Westmere"..</div>
<div>Should I also see anythin aout IBRS, etc...?</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Gianluca </div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
</blockquote>
<br>
</body>
</html>