[ovirt-users] oVirt 4.1.9 and Spectre-Meltdown checks

WK wkmail at bneit.com
Fri Jan 26 18:13:51 UTC 2018 

That cpu  is X5690. That is Westmere class.   We have a number of those 
doing 'meatball'  application loads that don't need the latest greatest cpu.

I do not yet believe the Microcode fix for Westmere is out yet and it 
may never be.

Intel has, so far, promised fixes for Haswell or better (i.e. CPUs from 
the last 5 years) with a vague mention of other cpus on a 'customer' 
need basis.

Westmere is circa 2010 and came out before Sandy/Ivy Bridge so we don't 
know when or if they will be fixed, but probably only after the 
Sandy/Ivy Bridges get theirs.

-wk




On 1/26/2018 1:50 AM, Gianluca Cecchi wrote:
> Hello,
> nice to see integration of Spectre-Meltdown info in 4.1.9, both for 
> guests and hosts, as detailed in release notes:
>
> I have upgraded my CentOS 7.4 engine VM (outside of oVirt cluster) and 
> one oVirt host to 4.1.9.
>
> Now in General -> Software subtab of the host I see:
>
> OS Version: RHEL - 7 - 4.1708.el7.centos
> OS Description: CentOS Linux 7 (Core)
> Kernel Version: 3.10.0 - 693.17.1.el7.x86_64
> Kernel Features: IBRS: 0, PTI: 1, IBPB: 0
>
> Am I supposed to manually set any particular value?
>
> If I run version 0.32 (updated yesterday) 
> of spectre-meltdown-checker.sh I got this on my Dell M610 blade with
>
>         Version: 6.4.0
>         Release Date: 07/18/2013
>
> [root at ov200 ~]# /home/g.cecchi/spectre-meltdown-checker.sh
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 
> UTC 2018 x86_64
> CPU is Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz
>
> Hardware check
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates IBRS capability:  NO
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  NO
>     * CPU indicates IBPB capability:  NO
>   * Single Thread Indirect Branch Predictors (STIBP)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates STIBP capability:  NO
>   * Enhanced IBRS (IBRS_ALL)
>     * CPU indicates ARCH_CAPABILITIES MSR availability: NO
>     * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
>   * CPU explicitly indicates not being vulnerable to Meltdown 
> (RDCL_NO):  NO
> * CPU vulnerability to the three speculative execution attacks variants
>   * Vulnerable to Variant 1:  YES
>   * Vulnerable to Variant 2:  YES
>   * Vulnerable to Variant 3:  YES
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Checking count of LFENCE opcodes in kernel:  YES
> > STATUS:  NOT VULNERABLE  (107 opcodes found, which is >= 70, 
> heuristic to be improved when official patches become available)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  YES
>   * Currently enabled features
>     * IBRS enabled for Kernel space:  NO  (echo 1 > 
> /sys/kernel/debug/x86/ibrs_enabled)
>     * IBRS enabled for User space:  NO  (echo 2 > 
> /sys/kernel/debug/x86/ibrs_enabled)
>     * IBPB enabled:  NO  (echo 1 > /sys/kernel/debug/x86/ibpb_enabled)
> * Mitigation 2
>   * Kernel compiled with retpoline option:  NO
>   * Kernel compiled with a retpoline-aware compiler:  NO
>   * Retpoline enabled:  NO
> > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with 
> retpoline are needed to mitigate the vulnerability)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (PTI mitigates the vulnerability)
>
> A false sense of security is worse than no security at all, see 
> --disclaimer
> [root at ov200 ~]#
>
> So it seems I'm still vulnerable only to Variant 2, but kernel seems ok:
>
>   * Kernel is compiled with IBRS/IBPB support:  YES
>
> while bios not, correct?
>
> Is RH EL / CentOS expected to follow the retpoline option too, to 
> mitigate Variant 2, as done by Fedora for example?
>
> Eg on my just updated Fedora 27 laptop I get now:
>
> [g.cecchi at ope46 spectre_meltdown]$ sudo ./spectre-meltdown-checker.sh
> [sudo] password for g.cecchi:
> Spectre and Meltdown mitigation detection tool v0.32
>
> Checking for vulnerabilities on current system
> Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54 UTC 
> 2018 x86_64
> CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
>
> Hardware check
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates IBRS capability:  NO
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  NO
>     * CPU indicates IBPB capability:  NO
>   * Single Thread Indirect Branch Predictors (STIBP)
>     * SPEC_CTRL MSR is available:  NO
>     * CPU indicates STIBP capability:  NO
>   * Enhanced IBRS (IBRS_ALL)
>     * CPU indicates ARCH_CAPABILITIES MSR availability: NO
>     * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
>   * CPU explicitly indicates not being vulnerable to Meltdown 
> (RDCL_NO):  NO
> * CPU vulnerability to the three speculative execution attacks variants
>   * Vulnerable to Variant 1:  YES
>   * Vulnerable to Variant 2:  YES
>   * Vulnerable to Variant 3:  YES
>
> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
> * Mitigated according to the /sys interface:  NO  (kernel confirms 
> your system is vulnerable)
> > STATUS:  VULNERABLE  (Vulnerable)
>
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  YES (kernel confirms 
> that the mitigation is active)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO
>   * Currently enabled features
>     * IBRS enabled for Kernel space:  NO
>     * IBRS enabled for User space:  NO
>     * IBPB enabled:  NO
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES
>   * Kernel compiled with a retpoline-aware compiler: YES  (kernel 
> reports full retpoline compilation)
>   * Retpoline enabled:  YES
> > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
>
> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
> * Mitigated according to the /sys interface:  YES (kernel confirms 
> that the mitigation is active)
> * Kernel supports Page Table Isolation (PTI):  YES
> * PTI enabled and active:  YES
> * Running as a Xen PV DomU:  NO
> > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
>
> A false sense of security is worse than no security at all, see 
> --disclaimer
> [g.cecchi at ope46 spectre_meltdown]$
>
> BTW: I updated some days ago this laptop from F26 to F27 and I 
> remember Variant 1 was fixed in F26, while now I see it as 
> vulnerable..... I'm going to check with Fedora mailing list about this...
>
> Another question: what should I see for a VM instead related to 
> meltdown/spectre?
> Currently in "Guest CPU Type" in General subtab of the VM I only see 
> "Westmere"..
> Should I also see anythin aout IBRS, etc...?
>
> Thanks,
>
> Gianluca
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180126/afc90eb3/attachment.html>

More information about the Users mailing list