Re: [ovirt-users] oVirt 4.1.9 and Spectre-Meltdown checks

Saturday, 27 January 2018

This is a multi-part message in MIME format.
--------------B3ABF8DBBFEB48E9113AB092
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Updated info:

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-...

Looks like Intel is now committing to support Sandy/Ivy Bridge.

No mention of Westmere or earlier as of yet  :-(

On 1/26/2018 10:13 AM, WK wrote:
...

 That cpu  is X5690. That is Westmere class.   We have a number of 
 those doing 'meatball'  application loads that don't need the latest 
 greatest cpu.

 I do not yet believe the Microcode fix for Westmere is out yet and it 
 may never be.

 Intel has, so far, promised fixes for Haswell or better (i.e. CPUs 
 from the last 5 years) with a vague mention of other cpus on a 
 'customer' need basis.

 Westmere is circa 2010 and came out before Sandy/Ivy Bridge so we 
 don't know when or if they will be fixed, but probably only after the 
 Sandy/Ivy Bridges get theirs.

 -wk

 On 1/26/2018 1:50 AM, Gianluca Cecchi wrote:
> Hello,
> nice to see integration of Spectre-Meltdown info in 4.1.9, both for 
> guests and hosts, as detailed in release notes:
>
> I have upgraded my CentOS 7.4 engine VM (outside of oVirt cluster) 
> and one oVirt host to 4.1.9.
>
> Now in General -> Software subtab of the host I see:
>
> OS Version: RHEL - 7 - 4.1708.el7.centos
> OS Description: CentOS Linux 7 (Core)
> Kernel Version: 3.10.0 - 693.17.1.el7.x86_64
> Kernel Features: IBRS: 0, PTI: 1, IBPB: 0
>
> Am I supposed to manually set any particular value?
>
> If I run version 0.32 (updated yesterday) 
> of spectre-meltdown-checker.sh I got this on my Dell M610 blade with
>
>         Version: 6.4.0
>         Release Date: 07/18/2013
>
> [root@ov200 ~]# /home/g.cecchi/spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 
> UTC 2018 x86_64
> CPU is Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
>
> Hardware check
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates IBRS capability:  NO
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  NO
>     * CPU indicates IBPB capability:  NO
>   * Single Thread Indirect Branch Predictors (STIBP)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates STIBP capability:  NO
>   * Enhanced IBRS (IBRS_ALL)
>     * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
>     * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
>   * CPU explicitly indicates not being vulnerable to Meltdown 
> (RDCL_NO):  NO
> * CPU vulnerability to the three speculative execution attacks variants
>   * Vulnerable to Variant 1:  YES
>   * Vulnerable to Variant 2:  YES
>   * Vulnerable to Variant 3:  YES
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel:  YES
> > STATUS:  NOT VULNERABLE  (107 opcodes found, which is >= 70, 
> heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  YES
>   * Currently enabled features
>     * IBRS enabled for Kernel space:  NO  (echo 1 > 
> /sys/kernel/debug/x86/ibrs_enabled)
>     * IBRS enabled for User space:  NO  (echo 2 > 
> /sys/kernel/debug/x86/ibrs_enabled)
>     * IBPB enabled:  NO  (echo 1 > /sys/kernel/debug/x86/ibpb_enabled)
> * Mitigation 2
>   * Kernel compiled with retpoline option:  NO
>   * Kernel compiled with a retpoline-aware compiler: NO
>   * Retpoline enabled:  NO
> > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with 
> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see 
> --disclaimer
> [root@ov200 ~]#
>
> So it seems I'm still vulnerable only to Variant 2, but kernel seems ok:
>
>   * Kernel is compiled with IBRS/IBPB support: YES
>
> while bios not, correct?
>
> Is RH EL / CentOS expected to follow the retpoline option too, to 
> mitigate Variant 2, as done by Fedora for example?
>
> Eg on my just updated Fedora 27 laptop I get now:
>
> [g.cecchi@ope46 spectre_meltdown]$ sudo ./spectre-meltdown-checker.sh
> [sudo] password for g.cecchi:
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 
> UTC 2018 x86_64
> CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
>
> Hardware check
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates IBRS capability:  NO
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  NO
>     * CPU indicates IBPB capability:  NO
>   * Single Thread Indirect Branch Predictors (STIBP)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates STIBP capability:  NO
>   * Enhanced IBRS (IBRS_ALL)
>     * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
>     * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
>   * CPU explicitly indicates not being vulnerable to Meltdown 
> (RDCL_NO):  NO
> * CPU vulnerability to the three speculative execution attacks variants
>   * Vulnerable to Variant 1:  YES
>   * Vulnerable to Variant 2:  YES
>   * Vulnerable to Variant 3:  YES
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  NO (kernel confirms 
> your system is vulnerable)
> > STATUS:  VULNERABLE  (Vulnerable)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES (kernel confirms 
> that the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
>     * IBRS enabled for Kernel space:  NO
>     * IBRS enabled for User space:  NO
>     * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler: YES  (kernel 
> reports full retpoline compilation)
>   * Retpoline enabled:  YES
> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES (kernel confirms 
> that the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>
> A false sense of security is worse than no security at all, see 
> --disclaimer
> [g.cecchi@ope46 spectre_meltdown]$
>
> BTW: I updated some days ago this laptop from F26 to F27 and I 
> remember Variant 1 was fixed in F26, while now I see it as 
> vulnerable..... I'm going to check with Fedora mailing list about this...
>
> Another question: what should I see for a VM instead related to 
> meltdown/spectre?
> Currently in "Guest CPU Type" in General subtab of the VM I only see 
> "Westmere"..
> Should I also see anythin aout IBRS, etc...?
>
> Thanks,
>
> Gianluca
>
>
> _______________________________________________
> Users mailing list
> Users(a)ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

 _______________________________________________
 Users mailing list
 Users(a)ovirt.org
 http://lists.ovirt.org/mailman/listinfo/users 

--------------B3ABF8DBBFEB48E9113AB092
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Updated info:<br>
    </p>
    <p><a class="moz-txt-link-freetext"
href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01...
    </p>
    Looks like Intel is now committing to support Sandy/Ivy Bridge.<br>
    <br>
    No mention of Westmere or earlier as of yet  :-(<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 1/26/2018 10:13 AM, WK
wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:debd85e3-599e-15dd-e1f5-b1e73c6f4294@bneit.com">
      <meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
      <p>That cpu  is X5690. That is Westmere class.   We have a number
        of those doing 'meatball'  application loads that don't need the
        latest greatest cpu.<br>
      </p>
      <p>I do not yet believe the Microcode fix for Westmere is out yet
        and it may never be.<br>
      </p>
      <p>Intel has, so far, promised fixes for Haswell or better (i.e.
        CPUs from the last 5 years) with a vague mention of other cpus
        on a 'customer' need basis.  <br>
      </p>
      <p>Westmere is circa 2010 and came out before Sandy/Ivy Bridge so
        we don't know when or if they will be fixed, but probably only
        after the Sandy/Ivy Bridges get theirs.<br>
      </p>
      -wk<br>
      <br>
      <p><br>
      </p>
      <p><br>
      </p>
      <br>
      <div class="moz-cite-prefix">On 1/26/2018 1:50 AM, Gianluca Cecchi
        wrote:<br>
      </div>
      <blockquote type="cite"
cite="mid:CAG2kNCzASMzOjhoRKbLHvK4HTh1JAjZN29-EV-m1De1L9QAzOw@mail.gmail.com">
        <meta http-equiv="Context-Type" content="text/html;
          charset=UTF-8">
        <div dir="ltr">Hello,
          <div>nice to see integration of Spectre-Meltdown info in
            4.1.9, both for guests and hosts, as detailed in release
            notes:</div>
          <div><br>
          </div>
          <div>I have upgraded my CentOS 7.4 engine VM (outside of oVirt
            cluster) and one oVirt host to 4.1.9.</div>
          <div><br>
          </div>
          <div>Now in General -&gt; Software subtab of the host I
see:</div>
          <div><br>
          </div>
          <div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"

id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row0_label">OS
                      Version: RHEL - 7 - 4.1708.el7.centos</div>
                  </div>
                </div>
              </div>
            </div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"

id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row1_label">OS
                      Description: CentOS Linux 7 (Core)</div>
                  </div>
                </div>
              </div>
            </div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"

id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row2_label">Kernel
                      Version: 3.10.0 - 693.17.1.el7.x86_64</div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"

id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row9_label">Kernel
                      Features: IBRS: 0, PTI: 1, IBPB: 0</div>
                  </div>
                </div>
              </div>
            </div>
            <br>
          </div>
          <div>Am I supposed to manually set any particular value?</div>
          <div><br>
          </div>
          <div>If I run version 0.32 (updated yesterday)
            of spectre-meltdown-checker.sh I got this on my Dell M610
            blade with </div>
          <div><br>
          </div>
          <div>
            <div>        Version: 6.4.0</div>
            <div>        Release Date: 07/18/2013</div>
          </div>
          <div><br>
          </div>
          <div>
            <div>[root@ov200 ~]#
              /home/g.cecchi/spectre-meltdown-checker.sh </div>
            <div>Spectre and Meltdown mitigation detection tool v0.32</div>
            <div><br>
            </div>
            <div>Checking for vulnerabilities on current system</div>
            <div>Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu
              Jan 25 20:13:58 UTC 2018 x86_64</div>
            <div>CPU is Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz</div>
            <div><br>
            </div>
            <div>Hardware check</div>
            <div>* Hardware support (CPU microcode) for mitigation
              techniques</div>
            <div>  * Indirect Branch Restricted Speculation (IBRS)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates IBRS capability:  NO </div>
            <div>  * Indirect Branch Prediction Barrier (IBPB)</div>
            <div>    * PRED_CMD MSR is available:  NO </div>
            <div>    * CPU indicates IBPB capability:  NO </div>
            <div>  * Single Thread Indirect Branch Predictors (STIBP)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates STIBP capability:  NO </div>
            <div>  * Enhanced IBRS (IBRS_ALL)</div>
            <div>    * CPU indicates ARCH_CAPABILITIES MSR
              availability:  NO </div>
            <div>    * ARCH_CAPABILITIES MSR advertises IBRS_ALL
              capability:  NO </div>
            <div>  * CPU explicitly indicates not being vulnerable to
              Meltdown (RDCL_NO):  NO </div>
            <div>* CPU vulnerability to the three speculative execution
              attacks variants</div>
            <div>  * Vulnerable to Variant 1:  YES </div>
            <div>  * Vulnerable to Variant 2:  YES </div>
            <div>  * Vulnerable to Variant 3:  YES </div>
            <div><br>
            </div>
            <div>CVE-2017-5753 [bounds check bypass] aka 'Spectre
              Variant 1'</div>
            <div>* Checking count of LFENCE opcodes in kernel:  YES </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (107 opcodes found, which
              is &gt;= 70, heuristic to be improved when official
              patches become available)</div>
            <div><br>
            </div>
            <div>CVE-2017-5715 [branch target injection] aka 'Spectre
              Variant 2'</div>
            <div>* Mitigation 1</div>
            <div>  * Kernel is compiled with IBRS/IBPB support:  YES </div>
            <div>  * Currently enabled features</div>
            <div>    * IBRS enabled for Kernel space:  NO  (echo 1 &gt;
              /sys/kernel/debug/x86/ibrs_enabled)</div>
            <div>    * IBRS enabled for User space:  NO  (echo 2 &gt;
              /sys/kernel/debug/x86/ibrs_enabled)</div>
            <div>    * IBPB enabled:  NO  (echo 1 &gt;
              /sys/kernel/debug/x86/ibpb_enabled)</div>
            <div>* Mitigation 2</div>
            <div>  * Kernel compiled with retpoline option:  NO </div>
            <div>  * Kernel compiled with a retpoline-aware compiler: 
              NO </div>
            <div>  * Retpoline enabled:  NO </div>
            <div>&gt; STATUS:  VULNERABLE  (IBRS hardware + kernel
              support OR kernel with retpoline are needed to mitigate
              the vulnerability)</div>
            <div><br>
            </div>
            <div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown'
              aka 'Variant 3'</div>
            <div>* Kernel supports Page Table Isolation (PTI):  YES </div>
            <div>* PTI enabled and active:  YES </div>
            <div>* Running as a Xen PV DomU:  NO </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (PTI mitigates the
              vulnerability)</div>
            <div><br>
            </div>
            <div>A false sense of security is worse than no security at
              all, see --disclaimer</div>
            <div>[root@ov200 ~]# </div>
          </div>
          <div><br>
          </div>
          <div>So it seems I'm still vulnerable only to Variant 2, but
            kernel seems ok:</div>
          <div><br>
          </div>
          <div><span>  * Kernel is compiled with IBRS/IBPB support: 
              YES </span><br>
          </div>
          <div><span><br>
            </span></div>
          <div>while bios not, correct?</div>
          <div><br>
          </div>
          <div>Is RH EL / CentOS expected to follow the retpoline option
            too, to mitigate Variant 2, as done by Fedora for example?</div>
          <div><br>
          </div>
          <div>Eg on my just updated Fedora 27 laptop I get now:</div>
          <div><br>
          </div>
          <div>
            <div>[g.cecchi@ope46 spectre_meltdown]$ sudo
              ./spectre-meltdown-checker.sh</div>
            <div>[sudo] password for g.cecchi: </div>
            <div>Spectre and Meltdown mitigation detection tool v0.32</div>
            <div><br>
            </div>
            <div>Checking for vulnerabilities on current system</div>
            <div>Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan
              19 13:19:54 UTC 2018 x86_64</div>
            <div>CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz</div>
            <div><br>
            </div>
            <div>Hardware check</div>
            <div>* Hardware support (CPU microcode) for mitigation
              techniques</div>
            <div>  * Indirect Branch Restricted Speculation (IBRS)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates IBRS capability:  NO </div>
            <div>  * Indirect Branch Prediction Barrier (IBPB)</div>
            <div>    * PRED_CMD MSR is available:  NO </div>
            <div>    * CPU indicates IBPB capability:  NO </div>
            <div>  * Single Thread Indirect Branch Predictors (STIBP)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates STIBP capability:  NO </div>
            <div>  * Enhanced IBRS (IBRS_ALL)</div>
            <div>    * CPU indicates ARCH_CAPABILITIES MSR
              availability:  NO </div>
            <div>    * ARCH_CAPABILITIES MSR advertises IBRS_ALL
              capability:  NO </div>
            <div>  * CPU explicitly indicates not being vulnerable to
              Meltdown (RDCL_NO):  NO </div>
            <div>* CPU vulnerability to the three speculative execution
              attacks variants</div>
            <div>  * Vulnerable to Variant 1:  YES </div>
            <div>  * Vulnerable to Variant 2:  YES </div>
            <div>  * Vulnerable to Variant 3:  YES </div>
            <div><br>
            </div>
            <div>CVE-2017-5753 [bounds check bypass] aka 'Spectre
              Variant 1'</div>
            <div>* Mitigated according to the /sys interface:  NO 
              (kernel confirms your system is vulnerable)</div>
            <div>&gt; STATUS:  VULNERABLE  (Vulnerable)</div>
            <div><br>
            </div>
            <div>CVE-2017-5715 [branch target injection] aka 'Spectre
              Variant 2'</div>
            <div>* Mitigated according to the /sys interface:  YES 
              (kernel confirms that the mitigation is active)</div>
            <div>* Mitigation 1</div>
            <div>  * Kernel is compiled with IBRS/IBPB support:  NO </div>
            <div>  * Currently enabled features</div>
            <div>    * IBRS enabled for Kernel space:  NO </div>
            <div>    * IBRS enabled for User space:  NO </div>
            <div>    * IBPB enabled:  NO </div>
            <div>* Mitigation 2</div>
            <div>  * Kernel compiled with retpoline option:  YES </div>
            <div>  * Kernel compiled with a retpoline-aware compiler: 
              YES  (kernel reports full retpoline compilation)</div>
            <div>  * Retpoline enabled:  YES </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (Mitigation: Full generic
              retpoline)</div>
            <div><br>
            </div>
            <div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown'
              aka 'Variant 3'</div>
            <div>* Mitigated according to the /sys interface:  YES 
              (kernel confirms that the mitigation is active)</div>
            <div>* Kernel supports Page Table Isolation (PTI):  YES </div>
            <div>* PTI enabled and active:  YES </div>
            <div>* Running as a Xen PV DomU:  NO </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (Mitigation: PTI)</div>
            <div><br>
            </div>
            <div>A false sense of security is worse than no security at
              all, see --disclaimer</div>
            <div>[g.cecchi@ope46 spectre_meltdown]$</div>
          </div>
          <div><br>
          </div>
          <div>BTW: I updated some days ago this laptop from F26 to F27
            and I remember Variant 1 was fixed in F26, while now I see
            it as vulnerable..... I'm going to check with Fedora mailing
            list about this...</div>
          <div><br>
          </div>
          <div>Another question: what should I see for a VM instead
            related to meltdown/spectre?</div>
          <div>Currently in "Guest CPU Type" in General subtab of the VM
            I only see "Westmere"..</div>
          <div>Should I also see anythin aout IBRS, etc...?</div>
          <div><br>
          </div>
          <div>Thanks,</div>
          <div><br>
          </div>
          <div>Gianluca </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org"
moz-do-not-send=&quot;true&quot;&gt;Users(a)ovirt.org&lt;/a&gt;
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users"
moz-do-not-send="true">http://lists.ovirt.org/mailman/listin...
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext"
href="http://lists.ovirt.org/mailman/listinfo/users">http://...
</pre>
    </blockquote>
    <br>
  </body>
</html>

--------------B3ABF8DBBFEB48E9113AB092--

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

Re: [ovirt-users] oVirt 4.1.9 and Spectre-Meltdown checks