Meltdown and Spectre for Newbie

Sebastian2000

Member
Oct 31, 2017
80
1
8
43
Hi all

I am a few confused with the new vulnerabilities and want to create a POST to obtain some help from more
experimented profesional and hope that this post can also help to more proxmox novice user as it's my case.

I understand that there is 2 vulnerabilities, Meltdown and spectre, with 2 variants for one of them (spectre). The most easy to exploit is meltdown, and seem also the most easy to mitige, by updating kernel in guest (centos in our case) and host (proxmox server), this also solve one of the 2 variants of spectre (CVE-2017-5753), but not the other one (CVE-2017-5715).

For the last one, (CVE-2017-5715), it's needed to update bios server or dirctly update micocode intel?
I have seen the microcode of E5-2650 in our case, the readme say :


To update the microcode.dat to the system, one need:
1. Ensure the existence of /dev/cpu/microcode
2. Write microcode.dat to the file, e.g.
dd if=microcode.dat of=/dev/cpu/microcode bs=1M

intel-ucode dirctory contains binary microcode files named in
family-model-stepping pattern. The file is supported in most modern Linux
distributions. It's generally located in the /lib/firmware directory,
and can be updated throught the microcode reload interface.

To update the intel-ucode package to the system, one need:
1. Ensure the existence of /sys/devices/system/cpu/microcode/reload
2. Copy intel-ucode directory to /lib/firmware, overwrite the files in
/lib/firmware/intel-ucode/
3. Write the reload interface to 1 to reload the microcode files, e.g.
echo 1 > /sys/devices/system/cpu/microcode/reload

We had to do this only on proxmox HOST or also in each VM? suppose that needs to reboot all then apply this? Is this what will impact performance (read about 5 to 30%)? We had to change something in the cpu definition of each GUEST?

Thanks for your help, I will try to update this post with answer
 
It is a lot easier to simply do: sudo apt install intel-microcode, on every proxmox node since microcode patches must be applied on every reboot and not all patches can be applied to a booted system, eg. a boot is required. See https://wiki.debian.org/Microcode

So, this update only have to be done on HOST, no on each GUEST? With this update, the kernel update on HOST and GUEST, protection is complete against the 3 variants?
 
For now, with last kernel (#1 SMP PVE 4.13.13-35 (Mon, 8 Jan 2018 10:26:58 +0100)) and intel-microcode installed from debian repo :


/tmp# sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.13.13-4-pve #1 SMP PVE 4.13.13-35 (Mon, 8 Jan 2018 10:26:58 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
 
intel-microcode is already the newest version (3.20170707.1~deb9u1).

Will try to review your link and return with result, thanks for your help
 
Same result with new microcode :

intel-microcode is already the newest version (3.20180108.1).


# sh spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.13.13-4-pve #1 SMP PVE 4.13.13-35 (Mon, 8 Jan 2018 10:26:58 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 29 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)

A false sense of security is worse than no security at all, see --disclaimer
 
Opteron:;-)
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.4.98-3-pve #1 SMP PVE 4.4.98-102 (Sun, 7 Jan 2018 13:15:19 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 35 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer
 
Opteron:;-)
Spectre and Meltdown mitigation detection tool v0.27

Checking for vulnerabilities against live running kernel Linux 4.4.98-3-pve #1 SMP PVE 4.4.98-102 (Sun, 7 Jan 2018 13:15:19 +0100) x86_64

CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 35 opcodes found, should be >= 70, heuristic to be improved when official patches become available)

CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

A false sense of security is worse than no security at all, see --disclaimer

Difference intel/amd grrrr...
 
So, today, the status is this one ?

intel CPU :
- GUEST can have 2 of 3 variant solved
- HOST only one...

AMD CPU
- GUEST and HOST can have 2 of 3 variant solved
 
So ... I have all Updates of Proxmox VE system and so on on our Server. All except of the microcode updates.
So I guess our Server is still at risk because of the microcode update ? I really do not want to do this because a lot of things can go wrong there. Will Proxmox VE itself release an update of the microcode updates when a stable version gets out ? - Sorry for the question I am not to good at Linux/debian etc. Just basics. Thats why we are using your system ;)
 
So ... I have all Updates of Proxmox VE system and so on on our Server. All except of the microcode updates.
So I guess our Server is still at risk because of the microcode update ? I really do not want to do this because a lot of things can go wrong there. Will Proxmox VE itself release an update of the microcode updates when a stable version gets out ? - Sorry for the question I am not to good at Linux/debian etc. Just basics. Thats why we are using your system ;)

without the microcode updates, you are still vulnerable to some of the Spectre variants / attack vectors. some CPU models can be fixed without a microcode update, but the required kernel and compiler changes have not yet landed in Debian/Ubuntu/PVE. some CPU models require microcode updates.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!