fuckwit/kaiser/kpti

Discussion in 'Proxmox VE: Installation and configuration' started by Idar Lund, Jan 3, 2018.

  1. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
    With the surfacing of the Intel CPU security vulnerability, and recent patches done to the linux kernel.
    Sources;
    https://en.wikipedia.org/wiki/Kernel_page-table_isolation
    http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table/amp
    https://www.theregister.co.uk/2018/01/02/intel_cpu_design_flaw/
    According to these, the fix for linux is implemented in 4.15 (rc6) and 14.14.11+. Proxmox is running on 14.13. Will you backport this patch to 14.13 or will you upgrade the kernel to 14.14.11+? And when will you do so?
    According to these sorces;
    https://twitter.com/never_released/status/947935213010718720
    https://twitter.com/jschauma/status/941447173245370368
    ..both Microsoft and Amazon is urging reboots of virtual hosts in the near future.
    I don't want to stress you guys.. but we really need this patch upstream as fast as possible!
     
    #1 Idar Lund, Jan 3, 2018
    Last edited: Jan 3, 2018
  2. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,270
    Likes Received:
    505
    we are aware of the issue and tracking developments. we will follow Ubuntu's 4.13 backports and release updated kernel packages once those are available.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Sakis

    Sakis Member
    Proxmox Subscriber

    Joined:
    Aug 14, 2013
    Messages:
    119
    Likes Received:
    3
    Is this bug exploitable through a KVM guest using CPU host option?

    Will it be a patch for PVE 3.X versions?
     
  4. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
    more info should surface tomorrow at 12:00 UTC regarding that. https://xenbits.xen.org/xsa/ (XSA-254)
     
    #4 Idar Lund, Jan 3, 2018
    Last edited: Jan 4, 2018
  5. Sakis

    Sakis Member
    Proxmox Subscriber

    Joined:
    Aug 14, 2013
    Messages:
    119
    Likes Received:
    3
    Yeah, still waiting for CVE. But we have to prepare the sooner.

    Thanks!
     
  6. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,270
    Likes Received:
    505
    not many details are known yet. we will provide patched kernels for 4.4 and 5.1 as soon as final patches are available. 3.4 is EOL, there haven't been any updates for quite a while, and there won't be any updates now either.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chrone likes this.
  7. alain

    alain Member

    Joined:
    May 17, 2009
    Messages:
    208
    Likes Received:
    0
    Hi all,

    The application of this kernel security patch could result on noticeable performance impact, notably on servers. See for example this first bechmark from Phoronix :

    https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=1

    So I wonder if this patch should be applied mandatory. For exemple, on private virtualization cluster, like mines, it it perhaps not required to apply the patch (perhaps with the linux option nokpti), as security issues would not be very serious in this case, but I would see performance degradation of my cluster ?

    Notice that a security patch on Xen, presently under embargo, should be published tomorrow, and it could be related to this flaw (in Intel architecture).
    https://xenbits.xen.org/xsa/

    But Xen applies patch to the kernel, not KVM.
     
  8. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
    It's a kernel patch. It can be disabled with kernel parameter "pti=off" in grub config file.
     
  9. LnxBil

    LnxBil Well-Known Member

    Joined:
    Feb 21, 2015
    Messages:
    3,789
    Likes Received:
    344
    I cannot imagine anything that runs without some kind of internet interaction nowadays. As long as simply browsing a webpage can exploit this bug, it should be fixed by not deliberately disabling a fix.

    Maybe it's time to buy more AMD servers for data centers :-D
     
    Idar Lund likes this.
  10. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
  11. speedbird

    speedbird Member
    Proxmox Subscriber

    Joined:
    Nov 3, 2017
    Messages:
    45
    Likes Received:
    4
    Any news on when there's going to be an official update released? With all the info surfacing now, it seems to be a massive risk for all of us running VM environments.
     
  12. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,270
    Likes Received:
    505
    there are no final public patches for Meltdown for either kernel 4.4 or 4.13 yet. once there are, we will review and include them ASAP.

    Meltdown, which looks to be far more easily exploitable than Spectre, should not be usable from within KVM-enabled VMs to read host kernel memory, but containers are affected. compare the Xen advisory stating that only PV guests are affected by Meltdown (which they call "SP3").

    concrete details regarding Spectre are still a bit rare, but AFAICT there are no public general PoCs yet allowing escaping from KVM, and Google Project Zero only talks about "When running with root privileges inside a KVM guest created using virt-manager on the Intel Haswell Xeon CPU, with a specific (now outdated) version of Debian's distro kernel running on the host, can read host kernel memory". there will likely be a Qemu update that mitigates some of the Spectre attack vectors in combination with microcode updates, but again - there are no public details yet regarding this (yet).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
  14. Chicken76

    Chicken76 Member

    Joined:
    Jun 26, 2017
    Messages:
    34
    Likes Received:
    1
    @Idar Lund
    The choice of thread title is rather questionable. Couldn't you find something more descriptive?
     
  15. Idar Lund

    Idar Lund New Member

    Joined:
    Jan 26, 2016
    Messages:
    18
    Likes Received:
    1
    it was what they called it before it got the fancy names meltdown and spectre; https://lkml.org/lkml/2017/12/4/709
     
  16. carles89

    carles89 Member
    Proxmox Subscriber

    Joined:
    May 27, 2015
    Messages:
    49
    Likes Received:
    2
    According to this, I assume we should make sure to have all VM CPUs set to kvm64 instead of host, isn't it?

    Thank you
     
  17. Symbol

    Symbol Member
    Proxmox Subscriber

    Joined:
    Mar 1, 2017
    Messages:
    42
    Likes Received:
    4
    I don't think so, as you probably want to have pcid CPU flag exposed to your guests in order to mitigate the performance loss coming from the Kernel/User page tables isolation feature once your guest kernels are updated.
     
  18. carles89

    carles89 Member
    Proxmox Subscriber

    Joined:
    May 27, 2015
    Messages:
    49
    Likes Received:
    2
    But until the patch is released and hosts are upgraded, can anyone confirm if setting cpu to "kvm64" instead of "host" a temporary way to secure KVM VMs?

    Thank you!
     
  19. Symbol

    Symbol Member
    Proxmox Subscriber

    Joined:
    Mar 1, 2017
    Messages:
    42
    Likes Received:
    4
    Well, I don't see what it would secure...
     
  20. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    cpumodel=kvm64 protected you against spectre in your vm, but not meltdown. (you need to patch your guest kernel)

    host kernel need to be updated to avoid that a vm access to memory of another vm.
     
    carles89 likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice