Hello,nice to see integration of Spectre-Meltdown info in 4.1.9, both for guests and hosts, as detailed in release notes:I have upgraded my CentOS 7.4 engine VM (outside of oVirt cluster) and one oVirt host to 4.1.9.Now in General -> Software subtab of the host I see:OS Version: RHEL - 7 - 4.1708.el7.centosOS Description: CentOS Linux 7 (Core)Kernel Version: 3.10.0 - 693.17.1.el7.x86_64Kernel Features: IBRS: 0, PTI: 1, IBPB: 0Am I supposed to manually set any particular value?If I run version 0.32 (updated yesterday) of spectre-meltdown-checker.sh I got this on my Dell M610 blade withVersion: 6.4.0Release Date: 07/18/2013[root@ov200 ~]# /home/g.cecchi/spectre-meltdown-checker.sh Spectre and Meltdown mitigation detection tool v0.32Checking for vulnerabilities on current systemKernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64CPU is Intel(R) Xeon(R) CPU X5690 @ 3.47GHzHardware check* Hardware support (CPU microcode) for mitigation techniques* Indirect Branch Restricted Speculation (IBRS)* SPEC_CTRL MSR is available: NO* CPU indicates IBRS capability: NO* Indirect Branch Prediction Barrier (IBPB)* PRED_CMD MSR is available: NO* CPU indicates IBPB capability: NO* Single Thread Indirect Branch Predictors (STIBP)* SPEC_CTRL MSR is available: NO* CPU indicates STIBP capability: NO* Enhanced IBRS (IBRS_ALL)* CPU indicates ARCH_CAPABILITIES MSR availability: NO* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO* CPU vulnerability to the three speculative execution attacks variants* Vulnerable to Variant 1: YES* Vulnerable to Variant 2: YES* Vulnerable to Variant 3: YESCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'* Checking count of LFENCE opcodes in kernel: YES> STATUS: NOT VULNERABLE (107 opcodes found, which is >= 70, heuristic to be improved when official patches become available)CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'* Mitigation 1* Kernel is compiled with IBRS/IBPB support: YES* Currently enabled features* IBRS enabled for Kernel space: NO (echo 1 > /sys/kernel/debug/x86/ibrs_enabled) * IBRS enabled for User space: NO (echo 2 > /sys/kernel/debug/x86/ibrs_enabled) * IBPB enabled: NO (echo 1 > /sys/kernel/debug/x86/ibpb_enabled) * Mitigation 2* Kernel compiled with retpoline option: NO* Kernel compiled with a retpoline-aware compiler: NO* Retpoline enabled: NO> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'* Kernel supports Page Table Isolation (PTI): YES* PTI enabled and active: YES* Running as a Xen PV DomU: NO> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)A false sense of security is worse than no security at all, see --disclaimer[root@ov200 ~]#So it seems I'm still vulnerable only to Variant 2, but kernel seems ok:* Kernel is compiled with IBRS/IBPB support: YESwhile bios not, correct?Is RH EL / CentOS expected to follow the retpoline option too, to mitigate Variant 2, as done by Fedora for example?Eg on my just updated Fedora 27 laptop I get now:[g.cecchi@ope46 spectre_meltdown]$ sudo ./spectre-meltdown-checker.sh[sudo] password for g.cecchi:Spectre and Meltdown mitigation detection tool v0.32Checking for vulnerabilities on current systemKernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 2018 x86_64CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHzHardware check* Hardware support (CPU microcode) for mitigation techniques* Indirect Branch Restricted Speculation (IBRS)* SPEC_CTRL MSR is available: NO* CPU indicates IBRS capability: NO* Indirect Branch Prediction Barrier (IBPB)* PRED_CMD MSR is available: NO* CPU indicates IBPB capability: NO* Single Thread Indirect Branch Predictors (STIBP)* SPEC_CTRL MSR is available: NO* CPU indicates STIBP capability: NO* Enhanced IBRS (IBRS_ALL)* CPU indicates ARCH_CAPABILITIES MSR availability: NO* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO* CPU vulnerability to the three speculative execution attacks variants* Vulnerable to Variant 1: YES* Vulnerable to Variant 2: YES* Vulnerable to Variant 3: YESCVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'* Mitigated according to the /sys interface: NO (kernel confirms your system is vulnerable)> STATUS: VULNERABLE (Vulnerable)CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)* Mitigation 1* Kernel is compiled with IBRS/IBPB support: NO* Currently enabled features* IBRS enabled for Kernel space: NO* IBRS enabled for User space: NO* IBPB enabled: NO* Mitigation 2* Kernel compiled with retpoline option: YES* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)* Retpoline enabled: YES> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)* Kernel supports Page Table Isolation (PTI): YES* PTI enabled and active: YES* Running as a Xen PV DomU: NO> STATUS: NOT VULNERABLE (Mitigation: PTI)A false sense of security is worse than no security at all, see --disclaimer[g.cecchi@ope46 spectre_meltdown]$BTW: I updated some days ago this laptop from F26 to F27 and I remember Variant 1 was fixed in F26, while now I see it as vulnerable..... I'm going to check with Fedora mailing list about this...Another question: what should I see for a VM instead related to meltdown/spectre?Currently in "Guest CPU Type" in General subtab of the VM I only see "Westmere"..Should I also see anythin aout IBRS, etc...?Thanks,Gianluca
_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users