<div dir="auto">forgot to mention that the latest microcode update was a rollback of previous updates:)<div dir="auto">more info you can find there:<br><div dir="auto"><a href="https://access.redhat.com/errata/RHSA-2018:0093">https://access.redhat.com/errata/RHSA-2018:0093</a><br></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">Am 26.01.2018 10:50 vorm. schrieb "Gianluca Cecchi" <<a href="mailto:gianluca.cecchi@gmail.com">gianluca.cecchi@gmail.com</a>>:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div>nice to see integration of Spectre-Meltdown info in 4.1.9, both for guests and hosts, as detailed in release notes:</div><div><br></div><div>I have upgraded my CentOS 7.4 engine VM (outside of oVirt cluster) and one oVirt host to 4.1.9.</div><div><br></div><div>Now in General -> Software subtab of the host I see:</div><div><br></div><div><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-12"><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-2"><div class="m_1810045511417941542gmail-GKIIXFICABD" id="m_1810045511417941542gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row0_label">OS Version: RHEL - 7 - 4.1708.el7.centos</div></div></div></div></div><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-12"><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-2"><div class="m_1810045511417941542gmail-GKIIXFICABD" id="m_1810045511417941542gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row1_label">OS Description: CentOS Linux 7 (Core)</div></div></div></div></div><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-12"><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-2"><div class="m_1810045511417941542gmail-GKIIXFICABD" id="m_1810045511417941542gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row2_label">Kernel Version: 3.10.0 - 693.17.1.el7.x86_64</div></div></div></div></div></div><div><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-12"><div class="m_1810045511417941542gmail-row"><div class="m_1810045511417941542gmail-col-md-2"><div class="m_1810045511417941542gmail-GKIIXFICABD" id="m_1810045511417941542gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row9_label">Kernel Features: IBRS: 0, PTI: 1, IBPB: 0</div></div></div></div></div><br></div><div>Am I supposed to manually set any particular value?</div><div><br></div><div>If I run version 0.32 (updated yesterday) of spectre-meltdown-checker.sh I got this on my Dell M610 blade with </div><div><br></div><div><div> Version: 6.4.0</div><div> Release Date: 07/18/2013</div></div><div><br></div><div><div>[root@ov200 ~]# /home/g.cecchi/spectre-<wbr>meltdown-checker.sh </div><div>Spectre and Meltdown mitigation detection tool v0.32</div><div><br></div><div>Checking for vulnerabilities on current system</div><div>Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64</div><div>CPU is Intel(R) Xeon(R) CPU X5690 @ 3.47GHz</div><div><br></div><div>Hardware check</div><div>* Hardware support (CPU microcode) for mitigation techniques</div><div> * Indirect Branch Restricted Speculation (IBRS)</div><div> * SPEC_CTRL MSR is available: NO </div><div> * CPU indicates IBRS capability: NO </div><div> * Indirect Branch Prediction Barrier (IBPB)</div><div> * PRED_CMD MSR is available: NO </div><div> * CPU indicates IBPB capability: NO </div><div> * Single Thread Indirect Branch Predictors (STIBP)</div><div> * SPEC_CTRL MSR is available: NO </div><div> * CPU indicates STIBP capability: NO </div><div> * Enhanced IBRS (IBRS_ALL)</div><div> * CPU indicates ARCH_CAPABILITIES MSR availability: NO </div><div> * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO </div><div> * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO </div><div>* CPU vulnerability to the three speculative execution attacks variants</div><div> * Vulnerable to Variant 1: YES </div><div> * Vulnerable to Variant 2: YES </div><div> * Vulnerable to Variant 3: YES </div><div><br></div><div>CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'</div><div>* Checking count of LFENCE opcodes in kernel: YES </div><div>> STATUS: NOT VULNERABLE (107 opcodes found, which is >= 70, heuristic to be improved when official patches become available)</div><div><br></div><div>CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'</div><div>* Mitigation 1</div><div> * Kernel is compiled with IBRS/IBPB support: YES </div><div> * Currently enabled features</div><div> * IBRS enabled for Kernel space: NO (echo 1 > /sys/kernel/debug/x86/ibrs_<wbr>enabled)</div><div> * IBRS enabled for User space: NO (echo 2 > /sys/kernel/debug/x86/ibrs_<wbr>enabled)</div><div> * IBPB enabled: NO (echo 1 > /sys/kernel/debug/x86/ibpb_<wbr>enabled)</div><div>* Mitigation 2</div><div> * Kernel compiled with retpoline option: NO </div><div> * Kernel compiled with a retpoline-aware compiler: NO </div><div> * Retpoline enabled: NO </div><div>> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)</div><div><br></div><div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'</div><div>* Kernel supports Page Table Isolation (PTI): YES </div><div>* PTI enabled and active: YES </div><div>* Running as a Xen PV DomU: NO </div><div>> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)</div><div><br></div><div>A false sense of security is worse than no security at all, see --disclaimer</div><div>[root@ov200 ~]# </div></div><div><br></div><div>So it seems I'm still vulnerable only to Variant 2, but kernel seems ok:</div><div><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"> * Kernel is compiled with IBRS/IBPB support: YES </span><br></div><div><span style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:small;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline"><br></span></div><div>while bios not, correct?</div><div><br></div><div>Is RH EL / CentOS expected to follow the retpoline option too, to mitigate Variant 2, as done by Fedora for example?</div><div><br></div><div>Eg on my just updated Fedora 27 laptop I get now:</div><div><br></div><div><div>[g.cecchi@ope46 spectre_meltdown]$ sudo ./spectre-meltdown-checker.sh</div><div>[sudo] password for g.cecchi: </div><div>Spectre and Meltdown mitigation detection tool v0.32</div><div><br></div><div>Checking for vulnerabilities on current system</div><div>Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 2018 x86_64</div><div>CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz</div><div><br></div><div>Hardware check</div><div>* Hardware support (CPU microcode) for mitigation techniques</div><div> * Indirect Branch Restricted Speculation (IBRS)</div><div> * SPEC_CTRL MSR is available: NO </div><div> * CPU indicates IBRS capability: NO </div><div> * Indirect Branch Prediction Barrier (IBPB)</div><div> * PRED_CMD MSR is available: NO </div><div> * CPU indicates IBPB capability: NO </div><div> * Single Thread Indirect Branch Predictors (STIBP)</div><div> * SPEC_CTRL MSR is available: NO </div><div> * CPU indicates STIBP capability: NO </div><div> * Enhanced IBRS (IBRS_ALL)</div><div> * CPU indicates ARCH_CAPABILITIES MSR availability: NO </div><div> * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO </div><div> * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO </div><div>* CPU vulnerability to the three speculative execution attacks variants</div><div> * Vulnerable to Variant 1: YES </div><div> * Vulnerable to Variant 2: YES </div><div> * Vulnerable to Variant 3: YES </div><div><br></div><div>CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'</div><div>* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)</div><div>> STATUS: VULNERABLE (Vulnerable)</div><div><br></div><div>CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'</div><div>* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)</div><div>* Mitigation 1</div><div> * Kernel is compiled with IBRS/IBPB support: NO </div><div> * Currently enabled features</div><div> * IBRS enabled for Kernel space: NO </div><div> * IBRS enabled for User space: NO </div><div> * IBPB enabled: NO </div><div>* Mitigation 2</div><div> * Kernel compiled with retpoline option: YES </div><div> * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)</div><div> * Retpoline enabled: YES </div><div>> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)</div><div><br></div><div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'</div><div>* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)</div><div>* Kernel supports Page Table Isolation (PTI): YES </div><div>* PTI enabled and active: YES </div><div>* Running as a Xen PV DomU: NO </div><div>> STATUS: NOT VULNERABLE (Mitigation: PTI)</div><div><br></div><div>A false sense of security is worse than no security at all, see --disclaimer</div><div>[g.cecchi@ope46 spectre_meltdown]$</div></div><div><br></div><div>BTW: I updated some days ago this laptop from F26 to F27 and I remember Variant 1 was fixed in F26, while now I see it as vulnerable..... I'm going to check with Fedora mailing list about this...</div><div><br></div><div>Another question: what should I see for a VM instead related to meltdown/spectre?</div><div>Currently in "Guest CPU Type" in General subtab of the VM I only see "Westmere"..</div><div>Should I also see anythin aout IBRS, etc...?</div><div><br></div><div>Thanks,</div><div><br></div><div>Gianluca </div></div>
<br>______________________________<wbr>_________________<br>
Users mailing list<br>
<a href="mailto:Users@ovirt.org">Users@ovirt.org</a><br>
<a href="http://lists.ovirt.org/mailman/listinfo/users" rel="noreferrer" target="_blank">http://lists.ovirt.org/<wbr>mailman/listinfo/users</a><br>
<br></blockquote></div></div>