Meltdown and Spectre, special concerns for the virtualization industry

mir

Famous Member
Apr 14, 2012
3,568
127
133
Copenhagen, Denmark
Hi all,

The following is a mixture of facts and speculations but never the less in my opinion means a paradigm shift for the virtualization industry!

First the facts:
1) Virtualization as a driving factor first began in this decade
2) According to Intel any CPU before 2011 (Westmere) is not affected by Meltdown and Spectre
3) The virtualization industry almost exclusively uses the Intel platform
4) The fix for Meltdown hurts performance of Intel CPU's by an order of magnitude more than other platforms - AMD, ARM, Sparc
5) The fix for a large part of this performance hit is to activate a new CPU feature only implemented in Intel CPU's - who dares activate this since it is some other "clever" manipulation of host memory?
6) Meltdown is particularly a problem for the virtualization industry since Meltdown completely destroys the perceived security gained by isolation of virtual guest on a host - remember you can gain access to any other virtual guest's memory running on the same host.

My own findings on my Opteron based servers:
1) Whether the fix for Meltdown is activated or not (pki on or off) have no, or only marginally performance implications
2) The new CPU feature to activate to circumvent performance degration is not available on Opteron CPU's
3) It seems to be the same picture for Ryzen

To sum it all up: In my opinion any professionel and security concerned virtualization business which have their customers need in mind should start there move away from Intel to Ryzen better today than tomorrow.

What is your opinion?
 
Unfortunately, some vendors have discontinued their AMD servers at all, e.g. Fujitsu. Very sad to see.

When Naples was presented I asked a Fujitsu guy (actually working there, no reseller) when they're going to come and he said that they do not have any plans to do so. Maybe they reconcile.
 
Hi all,

The following is a mixture of facts and speculations but never the less in my opinion means a paradigm shift for the virtualization industry!

First the facts:
1) Virtualization as a driving factor first began in this decade
2) According to Intel any CPU before 2011 (Westmere) is not affected by Meltdown and Spectre
3) The virtualization industry almost exclusively uses the Intel platform
4) The fix for Meltdown hurts performance of Intel CPU's by an order of magnitude more than other platforms - AMD, ARM, Sparc
5) The fix for a large part of this performance hit is to activate a new CPU feature only implemented in Intel CPU's - who dares activate this since it is some other "clever" manipulation of host memory?
6) Meltdown is particularly a problem for the virtualization industry since Meltdown completely destroys the perceived security gained by isolation of virtual guest on a host - remember you can gain access to any other virtual guest's memory running on the same host.

My own findings on my Opteron based servers:
1) Whether the fix for Meltdown is activated or not (pki on or off) have no, or only marginally performance implications
2) The new CPU feature to activate to circumvent performance degration is not available on Opteron CPU's
3) It seems to be the same picture for Ryzen

To sum it all up: In my opinion any professionel and security concerned virtualization business which have their customers need in mind should start there move away from Intel to Ryzen better today than tomorrow.

What is your opinion?

It's very dificult to change all servers of one buissness in some case, in our case, we are working with DELL C6220 (cpu E5-2650) and change all server (very hight price) and move all (a lot of time), it's not so facil :-( but I understand perfectly your opinion, for now I am trying to find the better solution for us...
 
I'll leave the speculation to other people, but just some corrections / additional information.

2) According to Intel any CPU before 2011 (Westmere) is not affected by Meltdown and Spectre

source? (neither is true)

4) The fix for Meltdown hurts performance of Intel CPU's by an order of magnitude more than other platforms - AMD, ARM, Sparc

Meltdown only affects Intel and some ARM CPUs as far as we know.

The fix for Meltdown in Linux is currently only implemented for x64, and only active for non-AMD CPUs.

5) The fix for a large part of this performance hit is to activate a new CPU feature only implemented in Intel CPU's - who dares activate this since it is some other "clever" manipulation of host memory?

PCID is not a clever manipulation, whatever that is supposed to mean - it's just a way to tag entries in the TLB. the Linux kernel can use it to speedup the security fix because without it, you need to do expensive full TLB flushs on each context switch, which is what really costs a lot of performance. note that this is also where your Westmere confusion probably stems from - PCID was introduced with Westmere.

6) Meltdown is particularly a problem for the virtualization industry since Meltdown completely destroys the perceived security gained by isolation of virtual guest on a host - remember you can gain access to any other virtual guest's memory running on the same host.

Meltdown is not exploitable from within a KVM accelerated guest to read hypervisor memory or that of another guest. while exploits are/were not very hard to implement once the issue was known, the fix is/was comparably straight-forward (albeit it comes with a performance penalty, especially on older HW).

Spectre is the far bigger issue in the long term since it allows a whole range of attacks, inside a guest, between guests, "inside" a program (e.g. from a sandbox), from guest to host. fortunately all of them are not that easy to pull off, and need to be tailored to the code you want to attack.

the only way to fix it completely would have such a high performance cost that no-one will do it, so it basically boils down to "make it as hard to exploit as possible while not hurting performance too much while we wait for new hardware which is hopefully not vulnerable anymore". this is about as bad as it gets when talking about a security issue. Spectre also affects basically all current CPUs which you might possibly find in a system used for virtualization, including ones made by Intel, AMD, ARM and Power.

My own findings on my Opteron based servers:
1) Whether the fix for Meltdown is activated or not (pki on or off) have no, or only marginally performance implications

if you typed "pki" that would not surprise me ;) the parameter is called "pti". but even then, the actual performance penalty is very dependent on the workload - it's mainly syscalls which get slowed down.

2) The new CPU feature to activate to circumvent performance degration is not available on Opteron CPU's
3) It seems to be the same picture for Ryzen

see 4 and 5 above. but since you don't have PTI enabled on AMD systems in practice, this does not matter.
 
@fabian
You resume perfectly the actual situation when saying "that no-one will do it"
So basically we had to update kernel host and guest and nothing more? I also don't want assume an 30%, 20 or 15% of loose performance impact....
 
@fabian
You resume perfectly the actual situation when saying "that no-one will do it"
So basically we had to update kernel host and guest and nothing more? I also don't want assume an 30%, 20 or 15% of loose performance impact....

the Spectre fixes are still not finalized upstream (a first round of them will likely be over the weekend, we'll see). there will likely be several updates over the next few weeks until the situation has stabilized.
 
Apparently Intel has no intention to change there CPU architecture to create a CPU without the Spectre vulnerability so they still intend to produce and ship CPU's which are broken by design: https://lkml.org/lkml/2018/1/21/192
Let us hope every review of Intel CPU's in the future are made with the Spectre patches activated!
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!