Meltdown and Spectre Linux Kernel fixes


No, it can not. If you actually read the text carefully that you linked in your post (instead of parroting misinformation), then you would know it was only possible with an outdated Debian kernel. So in the case of currently supported Proxmox VE kernels, no side channel attack can read the host memory from inside the KVM guest.
 
No, it can not. If you actually read the text carefully that you linked in your post (instead of parroting misinformation), then you would know it was only possible with an outdated Debian kernel. So in the case of currently supported Proxmox VE kernels, no side channel attack can read the host memory from inside the KVM guest.
Sorry, but that just mean that this specific poc only work on this "outdated" 4.9 kernel. That doesn't mean that's impossible to do the same on lasts kernels. (But yes, it's very difficult to exploit, but not impossible)

[5] linux-image-4.9.0-3-amd64 at version 4.9.30-2+deb9u2 (available athttp://snapshot.debian.org/archive/...image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb, sha256 5f950b26aa7746d75ecb8508cc7dab19b3381c9451ee044cd2edfd6f5efff1f8, signed via Release.gpg, Release, Packages.xz); that was the current distro kernel version when I set up the machine. It is very unlikely that the PoC works with other kernel versions without changes; it contains a number of hardcoded addresses/offsets.
 
  • Like
Reactions: EuroDomenii
latest kernels in pvetest for PVE 4 and PVE 5 contain full RETPOLINE support. feedback would be appreciated, as always.
Tested with latest Proxmox 5.2 and 4, NOT VULNERABLE.
Thank you!

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.13.13-6-pve #1 SMP PVE 4.13.13-41 (Wed, 21 Feb 2018 10:07:54 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)
 
Last edited:
Tested with latest Proxmox 5.2 and 4, NOT VULNERABLE.
Thank you!

Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.13.13-6-pve #1 SMP PVE 4.13.13-41 (Wed, 21 Feb 2018 10:07:54 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)
I also see it, but so, there is no need to update bios??
 
I also see it, but so, there is no need to update bios??

Here is the full output of the checking tool. If hardware is vulnerable, we don't need bios update ( maybe is not even available for certain servers), since we have software mitigation.

HARDWARE CHECK
Code:
Spectre and Meltdown mitigation detection tool v0.35
Checking for vulnerabilities on current system
Kernel is Linux 4.4.98-6-pve #1 SMP PVE 4.4.98-107 (Fri, 16 Feb 2018 10:11:56 +0100) x86_64
CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates IBRS capability:  NO
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO
    * CPU indicates IBPB capability:  NO
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO
    * CPU indicates STIBP capability:  NO
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
  * CPU microcode is known to cause stability problems:  NO  (model 94 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
  * Vulnerable to Variant 1:  YES
  * Vulnerable to Variant 2:  YES
  * Vulnerable to Variant 3:  YES

SOFTWARE CHECK
Code:
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec:  NO
* Kernel has the Red Hat/Ubuntu patch:  YES
> STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Mitigation 1
  * Kernel is compiled with IBRS/IBPB support:  YES
  * Currently enabled features
    * IBRS enabled for Kernel space:  NO
    * IBRS enabled for User space:  NO
    * IBPB enabled:  NO
* Mitigation 2
  * Kernel compiled with retpoline option:  YES
  * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI):  YES
* PTI enabled and active:  YES
* Running as a Xen PV DomU:  NO
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
 
News about bugs

Code:
# ./spectre-meltdown-checker.sh 
Spectre and Meltdown mitigation detection tool v0.37+

Checking for vulnerabilities on current system
Kernel is Linux 4.15.17-1-pve #1 SMP PVE 4.15.17-9 (Wed, 9 May 2018 13:31:43 +0200) x86_64
CPU is Intel(R) Xeon(R) CPU E5-2603 v3 @ 1.60GHz

Hardware check
* Hardware support (CPU microcode) for mitigation techniques
  * Indirect Branch Restricted Speculation (IBRS)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates IBRS capability:  NO 
  * Indirect Branch Prediction Barrier (IBPB)
    * PRED_CMD MSR is available:  NO 
    * CPU indicates IBPB capability:  NO 
  * Single Thread Indirect Branch Predictors (STIBP)
    * SPEC_CTRL MSR is available:  NO 
    * CPU indicates STIBP capability:  NO 
  * Speculative Store Bypass Disable (SSBD)
    * CPU indicates SSBD capability:  NO 
  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
  * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
  * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
  * CPU microcode is known to cause stability problems:  NO  (model 63 stepping 2 ucode 0x3a cpuid 0x306f2)
* CPU vulnerability to the speculative execution attack variants
  * Vulnerable to Variant 1:  YES 
  * Vulnerable to Variant 2:  YES 
  * Vulnerable to Variant 3:  YES 
  * Vulnerable to Variant 3a:  YES 
  * Vulnerable to Variant 4:  YES 

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch:  NO 
* Kernel has mask_nospec64 (arm):  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES 
    * IBRS enabled and active:  NO 
  * Kernel is compiled with IBPB support:  YES 
    * IBPB enabled and active:  NO 
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO 
  * Kernel compiled with retpoline option:  YES 
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
> STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES 
  * PTI enabled and active:  YES 
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO 
> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
  * CPU microcode mitigates the vulnerability:  UNKNOWN  (an up to date microcode is sufficient to mitigate this vulnerability, detection will be implemented soon)
> STATUS:  VULNERABLE  (a new microcode will mitigate this vulnerability)

CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
  * Kernel supports speculation store bypass:  NO 
> STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)

> How to fix: You need to update your CPU microcode and use a more recent kernel to provide the necessary mitigation tools to the software running on your machine

A false sense of security is worse than no security at all, see --disclaimer

Code:
# pveversion -v
proxmox-ve: 5.2-2 (running kernel: 4.15.17-1-pve)
pve-manager: 5.2-1 (running version: 5.2-1/0fcd7879)
pve-kernel-4.15: 5.2-1
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-31
libpve-guest-common-perl: 2.0-16
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
openvswitch-switch: 2.7.0-2
proxmox-widget-toolkit: 1.0-18
pve-cluster: 5.0-27
pve-container: 2.0-23
pve-docs: 5.2-4
pve-firewall: 3.0-8
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-5
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
pve-zsync: 1.6-15
qemu-server: 5.0-26
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.8-pve1~bpo9


And I have another problem with Windows. How to turn on Spectre protection inside Windows VM?
 
One question: should i use "intel-microcode" coming from Debian or proxmox provide it's own?
If you Hardware Vendor does not provide Bios with current microcode you should install the microcode.
But anyway the microcode from the deb package will only apply if the version in the package is newer than the bios one.
 
I installed latest BIOS and intel-microcode package. Can i still use "noibrs noibpb" kernel parameters to disable these functions? Or do i have to downgrade BIOS again?
 
Manufacturer (supermicro) says Debian is not a validated OS for compatibility, so they won't release a BIOS update. I have

xMGLndC.png


5.0.21-4-pve #1 SMP PVE 5.0.21-8 x86_64.

And there are more vulns coming. Any advice?
 
Manufacturer (supermicro) says Debian is not a validated OS for compatibility, so they won't release a BIOS update.

BIOS updates are not installed in the OS, so this is non-sense. Just follow their BIOS update howtos on their website.

As we are Debian based and if mainboard does not get BIOS updates in time, you can/should install intel-microcode updates from Debian non-free repository.
 
  • Like
Reactions: Proxygen
BIOS updates are not installed in the OS, so this is non-sense. Just follow their BIOS update howtos on their website.

As we are Debian based and if mainboard does not get BIOS updates in time, you can/should install intel-microcode updates from Debian non-free repository.

Yep, BS. Supermicro. The HW is decent, but the support... they try, but it is a joke. And I am already using the latest BIOS for my board.

So I added to the following to /etc/apt/sources.list
deb http://ftp.de.debian.org/debian buster main contrib
deb http://security.debian.org/debian-security buster/updates main non-free

And now I can install the recommended intel-microcode from non-free (contrib is required to install iucode-tool).

To restrict non-free to intel-microcode:

Code:
# /etc/apt/preferences.d/non-free_policy
Explanation: Disable packages from non-free tree by default
Package: *
Pin: release o=Debian,a=stable,l=Debian-Security,c=non-free
Pin-Priority: -1

# /etc/apt/preferences.d/intel-microcode_non-free
Explanation: Enable package intel-microcode from non-free tree
Package: intel-microcode
Pin: release o=Debian,a=stable,l=Debian-Security,c=non-free
Pin-Priority: 600

To restrict contrib to only iucode-tool

Code:
# /etc/apt/preferences.d/contrib_policy
Explanation: Disable packages from contrib tree by default
Package: *
Pin: release o=Debian,a=stable,l=Debian,c=contrib
Pin-Priority: -1

# /etc/apt/preferences.d/iucode-tool_contrib
Explanation: Enable package iucode-tool from contrib tree
Package: iucode-tool
Pin: release o=Debian,a=stable,l=Debian,c=contrib
Pin-Priority: 600

apt policy looks like this

fcs7UQ7.png


Code:
# apt policy intel-microcode
intel-microcode:
  Installed: 3.20191112.1~deb10u1
  Candidate: 3.20191112.1~deb10u1
  Version table:
*** 3.20191112.1~deb10u1 600
         -1 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
        100 /var/lib/dpkg/status

# apt policy iucode-tool
iucode-tool:
  Installed: 2.3.1-1
  Candidate: 2.3.1-1
  Version table:
*** 2.3.1-1 600
         -1 http://mirrors.xtom.com/debian buster/contrib amd64 Packages
        100 /var/lib/dpkg/status

Have I pinned contrib and nonfree correctly? I only want these two packages from these two sources.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!