[ovirt-users] oVirt 4.1.9 and Spectre-Meltdown checks
WK
wkmail at bneit.com
Sat Jan 27 00:42:13 UTC 2018
Updated info:
https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf
Looks like Intel is now committing to support Sandy/Ivy Bridge.
No mention of Westmere or earlier as of yet :-(
On 1/26/2018 10:13 AM, WK wrote:
>
> That cpu is X5690. That is Westmere class. We have a number of
> those doing 'meatball' application loads that don't need the latest
> greatest cpu.
>
> I do not yet believe the Microcode fix for Westmere is out yet and it
> may never be.
>
> Intel has, so far, promised fixes for Haswell or better (i.e. CPUs
> from the last 5 years) with a vague mention of other cpus on a
> 'customer' need basis.
>
> Westmere is circa 2010 and came out before Sandy/Ivy Bridge so we
> don't know when or if they will be fixed, but probably only after the
> Sandy/Ivy Bridges get theirs.
>
> -wk
>
>
>
>
> On 1/26/2018 1:50 AM, Gianluca Cecchi wrote:
>> Hello,
>> nice to see integration of Spectre-Meltdown info in 4.1.9, both for
>> guests and hosts, as detailed in release notes:
>>
>> I have upgraded my CentOS 7.4 engine VM (outside of oVirt cluster)
>> and one oVirt host to 4.1.9.
>>
>> Now in General -> Software subtab of the host I see:
>>
>> OS Version: RHEL - 7 - 4.1708.el7.centos
>> OS Description: CentOS Linux 7 (Core)
>> Kernel Version: 3.10.0 - 693.17.1.el7.x86_64
>> Kernel Features: IBRS: 0, PTI: 1, IBPB: 0
>>
>> Am I supposed to manually set any particular value?
>>
>> If I run version 0.32 (updated yesterday)
>> of spectre-meltdown-checker.sh I got this on my Dell M610 blade with
>>
>> Version: 6.4.0
>> Release Date: 07/18/2013
>>
>> [root at ov200 ~]# /home/g.cecchi/spectre-meltdown-checker.sh
>> Spectre and Meltdown mitigation detection tool v0.32
>>
>> Checking for vulnerabilities on current system
>> Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58
>> UTC 2018 x86_64
>> CPU is Intel(R) Xeon(R) CPU X5690 @ 3.47GHz
>>
>> Hardware check
>> * Hardware support (CPU microcode) for mitigation techniques
>> * Indirect Branch Restricted Speculation (IBRS)
>> * SPEC_CTRL MSR is available: NO
>> * CPU indicates IBRS capability: NO
>> * Indirect Branch Prediction Barrier (IBPB)
>> * PRED_CMD MSR is available: NO
>> * CPU indicates IBPB capability: NO
>> * Single Thread Indirect Branch Predictors (STIBP)
>> * SPEC_CTRL MSR is available: NO
>> * CPU indicates STIBP capability: NO
>> * Enhanced IBRS (IBRS_ALL)
>> * CPU indicates ARCH_CAPABILITIES MSR availability: NO
>> * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
>> * CPU explicitly indicates not being vulnerable to Meltdown
>> (RDCL_NO): NO
>> * CPU vulnerability to the three speculative execution attacks variants
>> * Vulnerable to Variant 1: YES
>> * Vulnerable to Variant 2: YES
>> * Vulnerable to Variant 3: YES
>>
>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>> * Checking count of LFENCE opcodes in kernel: YES
>> > STATUS: NOT VULNERABLE (107 opcodes found, which is >= 70,
>> heuristic to be improved when official patches become available)
>>
>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>> * Mitigation 1
>> * Kernel is compiled with IBRS/IBPB support: YES
>> * Currently enabled features
>> * IBRS enabled for Kernel space: NO (echo 1 >
>> /sys/kernel/debug/x86/ibrs_enabled)
>> * IBRS enabled for User space: NO (echo 2 >
>> /sys/kernel/debug/x86/ibrs_enabled)
>> * IBPB enabled: NO (echo 1 > /sys/kernel/debug/x86/ibpb_enabled)
>> * Mitigation 2
>> * Kernel compiled with retpoline option: NO
>> * Kernel compiled with a retpoline-aware compiler: NO
>> * Retpoline enabled: NO
>> > STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with
>> retpoline are needed to mitigate the vulnerability)
>>
>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>> * Kernel supports Page Table Isolation (PTI): YES
>> * PTI enabled and active: YES
>> * Running as a Xen PV DomU: NO
>> > STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
>>
>> A false sense of security is worse than no security at all, see
>> --disclaimer
>> [root at ov200 ~]#
>>
>> So it seems I'm still vulnerable only to Variant 2, but kernel seems ok:
>>
>> * Kernel is compiled with IBRS/IBPB support: YES
>>
>> while bios not, correct?
>>
>> Is RH EL / CentOS expected to follow the retpoline option too, to
>> mitigate Variant 2, as done by Fedora for example?
>>
>> Eg on my just updated Fedora 27 laptop I get now:
>>
>> [g.cecchi at ope46 spectre_meltdown]$ sudo ./spectre-meltdown-checker.sh
>> [sudo] password for g.cecchi:
>> Spectre and Meltdown mitigation detection tool v0.32
>>
>> Checking for vulnerabilities on current system
>> Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan 19 13:19:54
>> UTC 2018 x86_64
>> CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz
>>
>> Hardware check
>> * Hardware support (CPU microcode) for mitigation techniques
>> * Indirect Branch Restricted Speculation (IBRS)
>> * SPEC_CTRL MSR is available: NO
>> * CPU indicates IBRS capability: NO
>> * Indirect Branch Prediction Barrier (IBPB)
>> * PRED_CMD MSR is available: NO
>> * CPU indicates IBPB capability: NO
>> * Single Thread Indirect Branch Predictors (STIBP)
>> * SPEC_CTRL MSR is available: NO
>> * CPU indicates STIBP capability: NO
>> * Enhanced IBRS (IBRS_ALL)
>> * CPU indicates ARCH_CAPABILITIES MSR availability: NO
>> * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
>> * CPU explicitly indicates not being vulnerable to Meltdown
>> (RDCL_NO): NO
>> * CPU vulnerability to the three speculative execution attacks variants
>> * Vulnerable to Variant 1: YES
>> * Vulnerable to Variant 2: YES
>> * Vulnerable to Variant 3: YES
>>
>> CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
>> * Mitigated according to the /sys interface: NO (kernel confirms
>> your system is vulnerable)
>> > STATUS: VULNERABLE (Vulnerable)
>>
>> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
>> * Mitigated according to the /sys interface: YES (kernel confirms
>> that the mitigation is active)
>> * Mitigation 1
>> * Kernel is compiled with IBRS/IBPB support: NO
>> * Currently enabled features
>> * IBRS enabled for Kernel space: NO
>> * IBRS enabled for User space: NO
>> * IBPB enabled: NO
>> * Mitigation 2
>> * Kernel compiled with retpoline option: YES
>> * Kernel compiled with a retpoline-aware compiler: YES (kernel
>> reports full retpoline compilation)
>> * Retpoline enabled: YES
>> > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
>>
>> CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
>> * Mitigated according to the /sys interface: YES (kernel confirms
>> that the mitigation is active)
>> * Kernel supports Page Table Isolation (PTI): YES
>> * PTI enabled and active: YES
>> * Running as a Xen PV DomU: NO
>> > STATUS: NOT VULNERABLE (Mitigation: PTI)
>>
>> A false sense of security is worse than no security at all, see
>> --disclaimer
>> [g.cecchi at ope46 spectre_meltdown]$
>>
>> BTW: I updated some days ago this laptop from F26 to F27 and I
>> remember Variant 1 was fixed in F26, while now I see it as
>> vulnerable..... I'm going to check with Fedora mailing list about this...
>>
>> Another question: what should I see for a VM instead related to
>> meltdown/spectre?
>> Currently in "Guest CPU Type" in General subtab of the VM I only see
>> "Westmere"..
>> Should I also see anythin aout IBRS, etc...?
>>
>> Thanks,
>>
>> Gianluca
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at ovirt.org
>> http://lists.ovirt.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ovirt.org/pipermail/users/attachments/20180126/9a58f3cf/attachment.html>
More information about the Users
mailing list