Hi fabian, with spectre v2, a guest vm can read host memory.
https://googleprojectzero.blogspot.be/2018/01/reading-privileged-memory-with-side.html
yes, but what I wrote specifically referred to Meltdown (which is variant 3, not 2).
Hi fabian, with spectre v2, a guest vm can read host memory.
https://googleprojectzero.blogspot.be/2018/01/reading-privileged-memory-with-side.html
Hi fabian, with spectre v2, a guest vm can read host memory.
https://googleprojectzero.blogspot.be/2018/01/reading-privileged-memory-with-side.html
Sorry, but that just mean that this specific poc only work on this "outdated" 4.9 kernel. That doesn't mean that's impossible to do the same on lasts kernels. (But yes, it's very difficult to exploit, but not impossible)No, it can not. If you actually read the text carefully that you linked in your post (instead of parroting misinformation), then you would know it was only possible with an outdated Debian kernel. So in the case of currently supported Proxmox VE kernels, no side channel attack can read the host memory from inside the KVM guest.
[5] linux-image-4.9.0-3-amd64 at version 4.9.30-2+deb9u2 (available athttp://snapshot.debian.org/archive/...image-4.9.0-3-amd64_4.9.30-2+deb9u2_amd64.deb, sha256 5f950b26aa7746d75ecb8508cc7dab19b3381c9451ee044cd2edfd6f5efff1f8, signed via Release.gpg, Release, Packages.xz); that was the current distro kernel version when I set up the machine. It is very unlikely that the PoC works with other kernel versions without changes; it contains a number of hardcoded addresses/offsets.
Tested on PVE 4 & 5, so far so good!latest kernels in pvetest for PVE 4 and PVE 5 contain full RETPOLINE support. feedback would be appreciated, as always.
Tested with latest Proxmox 5.2 and 4, NOT VULNERABLE.latest kernels in pvetest for PVE 4 and PVE 5 contain full RETPOLINE support. feedback would be appreciated, as always.
I also see it, but so, there is no need to update bios??Tested with latest Proxmox 5.2 and 4, NOT VULNERABLE.
Thank you!
Spectre and Meltdown mitigation detection tool v0.27
Checking for vulnerabilities against live running kernel Linux 4.13.13-6-pve #1 SMP PVE 4.13.13-41 (Wed, 21 Feb 2018 10:07:54 +0100) x86_64
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
> STATUS: NOT VULNERABLE (Mitigation: PTI)
I also see it, but so, there is no need to update bios??
Spectre and Meltdown mitigation detection tool v0.35
Checking for vulnerabilities on current system
Kernel is Linux 4.4.98-6-pve #1 SMP PVE 4.4.98-107 (Fri, 16 Feb 2018 10:11:56 +0100) x86_64
CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU microcode is known to cause stability problems: NO (model 94 stepping 3 ucode 0xba)
* CPU vulnerability to the three speculative execution attacks variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel has array_index_mask_nospec: NO
* Kernel has the Red Hat/Ubuntu patch: YES
> STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Mitigation 1
* Kernel is compiled with IBRS/IBPB support: YES
* Currently enabled features
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* IBPB enabled: NO
* Mitigation 2
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (kernel confirms that the mitigation is active)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
A false sense of security is worse than no security at all, see --disclaimer
# ./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.37+
Checking for vulnerabilities on current system
Kernel is Linux 4.15.17-1-pve #1 SMP PVE 4.15.17-9 (Wed, 9 May 2018 13:31:43 +0200) x86_64
CPU is Intel(R) Xeon(R) CPU E5-2603 v3 @ 1.60GHz
Hardware check
* Hardware support (CPU microcode) for mitigation techniques
* Indirect Branch Restricted Speculation (IBRS)
* SPEC_CTRL MSR is available: NO
* CPU indicates IBRS capability: NO
* Indirect Branch Prediction Barrier (IBPB)
* PRED_CMD MSR is available: NO
* CPU indicates IBPB capability: NO
* Single Thread Indirect Branch Predictors (STIBP)
* SPEC_CTRL MSR is available: NO
* CPU indicates STIBP capability: NO
* Speculative Store Bypass Disable (SSBD)
* CPU indicates SSBD capability: NO
* Enhanced IBRS (IBRS_ALL)
* CPU indicates ARCH_CAPABILITIES MSR availability: NO
* ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: NO
* CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO): NO
* CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO): NO
* CPU microcode is known to cause stability problems: NO (model 63 stepping 2 ucode 0x3a cpuid 0x306f2)
* CPU vulnerability to the speculative execution attack variants
* Vulnerable to Variant 1: YES
* Vulnerable to Variant 2: YES
* Vulnerable to Variant 3: YES
* Vulnerable to Variant 3a: YES
* Vulnerable to Variant 4: YES
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Mitigated according to the /sys interface: YES (Mitigation: __user pointer sanitization)
* Kernel has array_index_mask_nospec (x86): YES (1 occurrence(s) found of 64 bits array_index_mask_nospec())
* Kernel has the Red Hat/Ubuntu patch: NO
* Kernel has mask_nospec64 (arm): NO
> STATUS: NOT VULNERABLE (Mitigation: __user pointer sanitization)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline)
* Mitigation 1
* Kernel is compiled with IBRS support: YES
* IBRS enabled and active: NO
* Kernel is compiled with IBPB support: YES
* IBPB enabled and active: NO
* Mitigation 2
* Kernel has branch predictor hardening (arm): NO
* Kernel compiled with retpoline option: YES
* Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
> STATUS: NOT VULNERABLE (Full retpoline is mitigating the vulnerability)
IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO
> STATUS: NOT VULNERABLE (Mitigation: PTI)
CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
* CPU microcode mitigates the vulnerability: UNKNOWN (an up to date microcode is sufficient to mitigate this vulnerability, detection will be implemented soon)
> STATUS: VULNERABLE (a new microcode will mitigate this vulnerability)
CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
* Kernel supports speculation store bypass: NO
> STATUS: VULNERABLE (Neither your CPU nor your kernel support SSBD)
> How to fix: You need to update your CPU microcode and use a more recent kernel to provide the necessary mitigation tools to the software running on your machine
A false sense of security is worse than no security at all, see --disclaimer
# pveversion -v
proxmox-ve: 5.2-2 (running kernel: 4.15.17-1-pve)
pve-manager: 5.2-1 (running version: 5.2-1/0fcd7879)
pve-kernel-4.15: 5.2-1
pve-kernel-4.15.17-1-pve: 4.15.17-9
corosync: 2.4.2-pve5
criu: 2.11.1-1~bpo90
glusterfs-client: 3.8.8-1
ksm-control-daemon: 1.2-2
libjs-extjs: 6.0.1-2
libpve-access-control: 5.0-8
libpve-apiclient-perl: 2.0-4
libpve-common-perl: 5.0-31
libpve-guest-common-perl: 2.0-16
libpve-http-server-perl: 2.0-8
libpve-storage-perl: 5.0-23
libqb0: 1.0.1-1
lvm2: 2.02.168-pve6
lxc-pve: 3.0.0-3
lxcfs: 3.0.0-1
novnc-pve: 0.6-4
openvswitch-switch: 2.7.0-2
proxmox-widget-toolkit: 1.0-18
pve-cluster: 5.0-27
pve-container: 2.0-23
pve-docs: 5.2-4
pve-firewall: 3.0-8
pve-firmware: 2.0-4
pve-ha-manager: 2.0-5
pve-i18n: 1.0-5
pve-libspice-server1: 0.12.8-3
pve-qemu-kvm: 2.11.1-5
pve-xtermjs: 1.0-5
pve-zsync: 1.6-15
qemu-server: 5.0-26
smartmontools: 6.5+svn4324-1
spiceterm: 3.0-5
vncterm: 1.5-3
zfsutils-linux: 0.7.8-pve1~bpo9
If you Hardware Vendor does not provide Bios with current microcode you should install the microcode.One question: should i use "intel-microcode" coming from Debian or proxmox provide it's own?
Manufacturer (supermicro) says Debian is not a validated OS for compatibility, so they won't release a BIOS update.
Hi,Manufacturer (supermicro) says Debian is not a validated OS for compatibility, so they won't release a BIOS update. I have
5.0.21-4-pve #1 SMP PVE 5.0.21-8 x86_64.
And there are more vulns coming. Any advice?
BIOS updates are not installed in the OS, so this is non-sense. Just follow their BIOS update howtos on their website.
As we are Debian based and if mainboard does not get BIOS updates in time, you can/should install intel-microcode updates from Debian non-free repository.
# /etc/apt/preferences.d/non-free_policy
Explanation: Disable packages from non-free tree by default
Package: *
Pin: release o=Debian,a=stable,l=Debian-Security,c=non-free
Pin-Priority: -1
# /etc/apt/preferences.d/intel-microcode_non-free
Explanation: Enable package intel-microcode from non-free tree
Package: intel-microcode
Pin: release o=Debian,a=stable,l=Debian-Security,c=non-free
Pin-Priority: 600
# /etc/apt/preferences.d/contrib_policy
Explanation: Disable packages from contrib tree by default
Package: *
Pin: release o=Debian,a=stable,l=Debian,c=contrib
Pin-Priority: -1
# /etc/apt/preferences.d/iucode-tool_contrib
Explanation: Enable package iucode-tool from contrib tree
Package: iucode-tool
Pin: release o=Debian,a=stable,l=Debian,c=contrib
Pin-Priority: 600
# apt policy intel-microcode
intel-microcode:
Installed: 3.20191112.1~deb10u1
Candidate: 3.20191112.1~deb10u1
Version table:
*** 3.20191112.1~deb10u1 600
-1 http://security.debian.org/debian-security buster/updates/non-free amd64 Packages
100 /var/lib/dpkg/status
# apt policy iucode-tool
iucode-tool:
Installed: 2.3.1-1
Candidate: 2.3.1-1
Version table:
*** 2.3.1-1 600
-1 http://mirrors.xtom.com/debian buster/contrib amd64 Packages
100 /var/lib/dpkg/status