<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Updated info:<br>
    </p>
    <p><a class="moz-txt-link-freetext" href="https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf">https://newsroom.intel.com/wp-content/uploads/sites/11/2018/01/microcode-update-guidance.pdf</a><br>
    </p>
    Looks like Intel is now committing to support Sandy/Ivy Bridge.<br>
    <br>
    No mention of Westmere or earlier as of yet  :-(<br>
    <br>
    <br>
    <div class="moz-cite-prefix">On 1/26/2018 10:13 AM, WK wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:debd85e3-599e-15dd-e1f5-b1e73c6f4294@bneit.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <p>That cpu  is X5690. That is Westmere class.   We have a number
        of those doing 'meatball'  application loads that don't need the
        latest greatest cpu.<br>
      </p>
      <p>I do not yet believe the Microcode fix for Westmere is out yet
        and it may never be.<br>
      </p>
      <p>Intel has, so far, promised fixes for Haswell or better (i.e.
        CPUs from the last 5 years) with a vague mention of other cpus
        on a 'customer' need basis.  <br>
      </p>
      <p>Westmere is circa 2010 and came out before Sandy/Ivy Bridge so
        we don't know when or if they will be fixed, but probably only
        after the Sandy/Ivy Bridges get theirs.<br>
      </p>
      -wk<br>
      <br>
      <p><br>
      </p>
      <p><br>
      </p>
      <br>
      <div class="moz-cite-prefix">On 1/26/2018 1:50 AM, Gianluca Cecchi
        wrote:<br>
      </div>
      <blockquote type="cite"
cite="mid:CAG2kNCzASMzOjhoRKbLHvK4HTh1JAjZN29-EV-m1De1L9QAzOw@mail.gmail.com">
        <meta http-equiv="Context-Type" content="text/html;
          charset=UTF-8">
        <div dir="ltr">Hello,
          <div>nice to see integration of Spectre-Meltdown info in
            4.1.9, both for guests and hosts, as detailed in release
            notes:</div>
          <div><br>
          </div>
          <div>I have upgraded my CentOS 7.4 engine VM (outside of oVirt
            cluster) and one oVirt host to 4.1.9.</div>
          <div><br>
          </div>
          <div>Now in General -&gt; Software subtab of the host I see:</div>
          <div><br>
          </div>
          <div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"
                      id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row0_label">OS
                      Version: RHEL - 7 - 4.1708.el7.centos</div>
                  </div>
                </div>
              </div>
            </div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"
                      id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row1_label">OS
                      Description: CentOS Linux 7 (Core)</div>
                  </div>
                </div>
              </div>
            </div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"
                      id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row2_label">Kernel
                      Version: 3.10.0 - 693.17.1.el7.x86_64</div>
                  </div>
                </div>
              </div>
            </div>
          </div>
          <div>
            <div class="gmail-row">
              <div class="gmail-col-md-12">
                <div class="gmail-row">
                  <div class="gmail-col-md-2">
                    <div class="gmail-GKIIXFICABD"
                      id="gmail-SubTabHostGeneralSoftwareView_formPanel_col0_row9_label">Kernel
                      Features: IBRS: 0, PTI: 1, IBPB: 0</div>
                  </div>
                </div>
              </div>
            </div>
            <br>
          </div>
          <div>Am I supposed to manually set any particular value?</div>
          <div><br>
          </div>
          <div>If I run version 0.32 (updated yesterday)
            of spectre-meltdown-checker.sh I got this on my Dell M610
            blade with </div>
          <div><br>
          </div>
          <div>
            <div>        Version: 6.4.0</div>
            <div>        Release Date: 07/18/2013</div>
          </div>
          <div><br>
          </div>
          <div>
            <div>[root@ov200 ~]#
              /home/g.cecchi/spectre-meltdown-checker.sh </div>
            <div>Spectre and Meltdown mitigation detection tool v0.32</div>
            <div><br>
            </div>
            <div>Checking for vulnerabilities on current system</div>
            <div>Kernel is Linux 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu
              Jan 25 20:13:58 UTC 2018 x86_64</div>
            <div>CPU is Intel(R) Xeon(R) CPU           X5690  @ 3.47GHz</div>
            <div><br>
            </div>
            <div>Hardware check</div>
            <div>* Hardware support (CPU microcode) for mitigation
              techniques</div>
            <div>  * Indirect Branch Restricted Speculation (IBRS)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates IBRS capability:  NO </div>
            <div>  * Indirect Branch Prediction Barrier (IBPB)</div>
            <div>    * PRED_CMD MSR is available:  NO </div>
            <div>    * CPU indicates IBPB capability:  NO </div>
            <div>  * Single Thread Indirect Branch Predictors (STIBP)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates STIBP capability:  NO </div>
            <div>  * Enhanced IBRS (IBRS_ALL)</div>
            <div>    * CPU indicates ARCH_CAPABILITIES MSR
              availability:  NO </div>
            <div>    * ARCH_CAPABILITIES MSR advertises IBRS_ALL
              capability:  NO </div>
            <div>  * CPU explicitly indicates not being vulnerable to
              Meltdown (RDCL_NO):  NO </div>
            <div>* CPU vulnerability to the three speculative execution
              attacks variants</div>
            <div>  * Vulnerable to Variant 1:  YES </div>
            <div>  * Vulnerable to Variant 2:  YES </div>
            <div>  * Vulnerable to Variant 3:  YES </div>
            <div><br>
            </div>
            <div>CVE-2017-5753 [bounds check bypass] aka 'Spectre
              Variant 1'</div>
            <div>* Checking count of LFENCE opcodes in kernel:  YES </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (107 opcodes found, which
              is &gt;= 70, heuristic to be improved when official
              patches become available)</div>
            <div><br>
            </div>
            <div>CVE-2017-5715 [branch target injection] aka 'Spectre
              Variant 2'</div>
            <div>* Mitigation 1</div>
            <div>  * Kernel is compiled with IBRS/IBPB support:  YES </div>
            <div>  * Currently enabled features</div>
            <div>    * IBRS enabled for Kernel space:  NO  (echo 1 &gt;
              /sys/kernel/debug/x86/ibrs_enabled)</div>
            <div>    * IBRS enabled for User space:  NO  (echo 2 &gt;
              /sys/kernel/debug/x86/ibrs_enabled)</div>
            <div>    * IBPB enabled:  NO  (echo 1 &gt;
              /sys/kernel/debug/x86/ibpb_enabled)</div>
            <div>* Mitigation 2</div>
            <div>  * Kernel compiled with retpoline option:  NO </div>
            <div>  * Kernel compiled with a retpoline-aware compiler: 
              NO </div>
            <div>  * Retpoline enabled:  NO </div>
            <div>&gt; STATUS:  VULNERABLE  (IBRS hardware + kernel
              support OR kernel with retpoline are needed to mitigate
              the vulnerability)</div>
            <div><br>
            </div>
            <div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown'
              aka 'Variant 3'</div>
            <div>* Kernel supports Page Table Isolation (PTI):  YES </div>
            <div>* PTI enabled and active:  YES </div>
            <div>* Running as a Xen PV DomU:  NO </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (PTI mitigates the
              vulnerability)</div>
            <div><br>
            </div>
            <div>A false sense of security is worse than no security at
              all, see --disclaimer</div>
            <div>[root@ov200 ~]# </div>
          </div>
          <div><br>
          </div>
          <div>So it seems I'm still vulnerable only to Variant 2, but
            kernel seems ok:</div>
          <div><br>
          </div>
          <div><span>  * Kernel is compiled with IBRS/IBPB support: 
              YES </span><br>
          </div>
          <div><span><br>
            </span></div>
          <div>while bios not, correct?</div>
          <div><br>
          </div>
          <div>Is RH EL / CentOS expected to follow the retpoline option
            too, to mitigate Variant 2, as done by Fedora for example?</div>
          <div><br>
          </div>
          <div>Eg on my just updated Fedora 27 laptop I get now:</div>
          <div><br>
          </div>
          <div>
            <div>[g.cecchi@ope46 spectre_meltdown]$ sudo
              ./spectre-meltdown-checker.sh</div>
            <div>[sudo] password for g.cecchi: </div>
            <div>Spectre and Meltdown mitigation detection tool v0.32</div>
            <div><br>
            </div>
            <div>Checking for vulnerabilities on current system</div>
            <div>Kernel is Linux 4.14.14-300.fc27.x86_64 #1 SMP Fri Jan
              19 13:19:54 UTC 2018 x86_64</div>
            <div>CPU is Intel(R) Core(TM) i7-2620M CPU @ 2.70GHz</div>
            <div><br>
            </div>
            <div>Hardware check</div>
            <div>* Hardware support (CPU microcode) for mitigation
              techniques</div>
            <div>  * Indirect Branch Restricted Speculation (IBRS)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates IBRS capability:  NO </div>
            <div>  * Indirect Branch Prediction Barrier (IBPB)</div>
            <div>    * PRED_CMD MSR is available:  NO </div>
            <div>    * CPU indicates IBPB capability:  NO </div>
            <div>  * Single Thread Indirect Branch Predictors (STIBP)</div>
            <div>    * SPEC_CTRL MSR is available:  NO </div>
            <div>    * CPU indicates STIBP capability:  NO </div>
            <div>  * Enhanced IBRS (IBRS_ALL)</div>
            <div>    * CPU indicates ARCH_CAPABILITIES MSR
              availability:  NO </div>
            <div>    * ARCH_CAPABILITIES MSR advertises IBRS_ALL
              capability:  NO </div>
            <div>  * CPU explicitly indicates not being vulnerable to
              Meltdown (RDCL_NO):  NO </div>
            <div>* CPU vulnerability to the three speculative execution
              attacks variants</div>
            <div>  * Vulnerable to Variant 1:  YES </div>
            <div>  * Vulnerable to Variant 2:  YES </div>
            <div>  * Vulnerable to Variant 3:  YES </div>
            <div><br>
            </div>
            <div>CVE-2017-5753 [bounds check bypass] aka 'Spectre
              Variant 1'</div>
            <div>* Mitigated according to the /sys interface:  NO 
              (kernel confirms your system is vulnerable)</div>
            <div>&gt; STATUS:  VULNERABLE  (Vulnerable)</div>
            <div><br>
            </div>
            <div>CVE-2017-5715 [branch target injection] aka 'Spectre
              Variant 2'</div>
            <div>* Mitigated according to the /sys interface:  YES 
              (kernel confirms that the mitigation is active)</div>
            <div>* Mitigation 1</div>
            <div>  * Kernel is compiled with IBRS/IBPB support:  NO </div>
            <div>  * Currently enabled features</div>
            <div>    * IBRS enabled for Kernel space:  NO </div>
            <div>    * IBRS enabled for User space:  NO </div>
            <div>    * IBPB enabled:  NO </div>
            <div>* Mitigation 2</div>
            <div>  * Kernel compiled with retpoline option:  YES </div>
            <div>  * Kernel compiled with a retpoline-aware compiler: 
              YES  (kernel reports full retpoline compilation)</div>
            <div>  * Retpoline enabled:  YES </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (Mitigation: Full generic
              retpoline)</div>
            <div><br>
            </div>
            <div>CVE-2017-5754 [rogue data cache load] aka 'Meltdown'
              aka 'Variant 3'</div>
            <div>* Mitigated according to the /sys interface:  YES 
              (kernel confirms that the mitigation is active)</div>
            <div>* Kernel supports Page Table Isolation (PTI):  YES </div>
            <div>* PTI enabled and active:  YES </div>
            <div>* Running as a Xen PV DomU:  NO </div>
            <div>&gt; STATUS:  NOT VULNERABLE  (Mitigation: PTI)</div>
            <div><br>
            </div>
            <div>A false sense of security is worse than no security at
              all, see --disclaimer</div>
            <div>[g.cecchi@ope46 spectre_meltdown]$</div>
          </div>
          <div><br>
          </div>
          <div>BTW: I updated some days ago this laptop from F26 to F27
            and I remember Variant 1 was fixed in F26, while now I see
            it as vulnerable..... I'm going to check with Fedora mailing
            list about this...</div>
          <div><br>
          </div>
          <div>Another question: what should I see for a VM instead
            related to meltdown/spectre?</div>
          <div>Currently in "Guest CPU Type" in General subtab of the VM
            I only see "Westmere"..</div>
          <div>Should I also see anythin aout IBRS, etc...?</div>
          <div><br>
          </div>
          <div>Thanks,</div>
          <div><br>
          </div>
          <div>Gianluca </div>
        </div>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <br>
        <pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org" moz-do-not-send="true">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users" moz-do-not-send="true">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@ovirt.org">Users@ovirt.org</a>
<a class="moz-txt-link-freetext" href="http://lists.ovirt.org/mailman/listinfo/users">http://lists.ovirt.org/mailman/listinfo/users</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>