Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,194
    Likes Received:
    494
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. gkovacs

    gkovacs Active Member

    Joined:
    Dec 22, 2008
    Messages:
    500
    Likes Received:
    43
    No, it can not. If you actually read the text carefully that you linked in your post (instead of parroting misinformation), then you would know it was only possible with an outdated Debian kernel. So in the case of currently supported Proxmox VE kernels, no side channel attack can read the host memory from inside the KVM guest.
     
  3. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    Sorry, but that just mean that this specific poc only work on this "outdated" 4.9 kernel. That doesn't mean that's impossible to do the same on lasts kernels. (But yes, it's very difficult to exploit, but not impossible)

     
    EuroDomenii likes this.
  4. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,194
    Likes Received:
    494
    latest kernels in pvetest for PVE 4 and PVE 5 contain full RETPOLINE support. feedback would be appreciated, as always.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    ValCapri, EuroDomenii and sumsum like this.
  5. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    Tested on PVE 4 & 5, so far so good!
     
  6. Rhinox

    Rhinox Active Member

    Joined:
    Sep 28, 2016
    Messages:
    272
    Likes Received:
    35
  7. Jospeh Huber

    Jospeh Huber Member

    Joined:
    Apr 18, 2016
    Messages:
    75
    Likes Received:
    3
    Tested with latest Proxmox 5.2 and 4, NOT VULNERABLE.
    Thank you!

    Spectre and Meltdown mitigation detection tool v0.27

    Checking for vulnerabilities against live running kernel Linux 4.13.13-6-pve #1 SMP PVE 4.13.13-41 (Wed, 21 Feb 2018 10:07:54 +0100) x86_64

    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
    > STATUS: NOT VULNERABLE (Mitigation: OSB (observable speculation barrier, Intel v6))

    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
    > STATUS: NOT VULNERABLE (Mitigation: Full generic retpoline)

    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Checking whether we're safe according to the /sys interface: YES (kernel confirms that the mitigation is active)
    > STATUS: NOT VULNERABLE (Mitigation: PTI)
     
    #187 Jospeh Huber, Mar 1, 2018
    Last edited: Mar 1, 2018
  8. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    I also see it, but so, there is no need to update bios??
     
  9. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    Here is the full output of the checking tool. If hardware is vulnerable, we don't need bios update ( maybe is not even available for certain servers), since we have software mitigation.

    HARDWARE CHECK
    Code:
    Spectre and Meltdown mitigation detection tool v0.35
    Checking for vulnerabilities on current system
    Kernel is Linux 4.4.98-6-pve #1 SMP PVE 4.4.98-107 (Fri, 16 Feb 2018 10:11:56 +0100) x86_64
    CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  NO
        * CPU indicates IBRS capability:  NO
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  NO
        * CPU indicates IBPB capability:  NO
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  NO
        * CPU indicates STIBP capability:  NO
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO
      * CPU microcode is known to cause stability problems:  NO  (model 94 stepping 3 ucode 0xba)
    * CPU vulnerability to the three speculative execution attacks variants
      * Vulnerable to Variant 1:  YES
      * Vulnerable to Variant 2:  YES
      * Vulnerable to Variant 3:  YES
    
    SOFTWARE CHECK
    Code:
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel has array_index_mask_nospec:  NO
    * Kernel has the Red Hat/Ubuntu patch:  YES
    > STATUS:  NOT VULNERABLE  (Mitigation: OSB (observable speculation barrier, Intel v6))
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Mitigation 1
      * Kernel is compiled with IBRS/IBPB support:  YES
      * Currently enabled features
        * IBRS enabled for Kernel space:  NO
        * IBRS enabled for User space:  NO
        * IBPB enabled:  NO
    * Mitigation 2
      * Kernel compiled with retpoline option:  YES
      * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Mitigation: Full generic retpoline)
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (kernel confirms that the mitigation is active)
    * Kernel supports Page Table Isolation (PTI):  YES
    * PTI enabled and active:  YES
    * Running as a Xen PV DomU:  NO
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    A false sense of security is worse than no security at all, see --disclaimer
    
     
  10. speedbird

    speedbird Member
    Proxmox Subscriber

    Joined:
    Nov 3, 2017
    Messages:
    45
    Likes Received:
    4
    NOT VULNERABLE all the way :)

    Purrfect! Thank you :)
     
  11. Nemesiz

    Nemesiz Active Member

    Joined:
    Jan 16, 2009
    Messages:
    627
    Likes Received:
    37
    News about bugs

    Code:
    # ./spectre-meltdown-checker.sh 
    Spectre and Meltdown mitigation detection tool v0.37+
    
    Checking for vulnerabilities on current system
    Kernel is Linux 4.15.17-1-pve #1 SMP PVE 4.15.17-9 (Wed, 9 May 2018 13:31:43 +0200) x86_64
    CPU is Intel(R) Xeon(R) CPU E5-2603 v3 @ 1.60GHz
    
    Hardware check
    * Hardware support (CPU microcode) for mitigation techniques
      * Indirect Branch Restricted Speculation (IBRS)
        * SPEC_CTRL MSR is available:  NO 
        * CPU indicates IBRS capability:  NO 
      * Indirect Branch Prediction Barrier (IBPB)
        * PRED_CMD MSR is available:  NO 
        * CPU indicates IBPB capability:  NO 
      * Single Thread Indirect Branch Predictors (STIBP)
        * SPEC_CTRL MSR is available:  NO 
        * CPU indicates STIBP capability:  NO 
      * Speculative Store Bypass Disable (SSBD)
        * CPU indicates SSBD capability:  NO 
      * Enhanced IBRS (IBRS_ALL)
        * CPU indicates ARCH_CAPABILITIES MSR availability:  NO 
        * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  NO 
      * CPU explicitly indicates not being vulnerable to Meltdown (RDCL_NO):  NO 
      * CPU explicitly indicates not being vulnerable to Variant 4 (SSB_NO):  NO 
      * CPU microcode is known to cause stability problems:  NO  (model 63 stepping 2 ucode 0x3a cpuid 0x306f2)
    * CPU vulnerability to the speculative execution attack variants
      * Vulnerable to Variant 1:  YES 
      * Vulnerable to Variant 2:  YES 
      * Vulnerable to Variant 3:  YES 
      * Vulnerable to Variant 3a:  YES 
      * Vulnerable to Variant 4:  YES 
    
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Mitigated according to the /sys interface:  YES  (Mitigation: __user pointer sanitization)
    * Kernel has array_index_mask_nospec (x86):  YES  (1 occurrence(s) found of 64 bits array_index_mask_nospec())
    * Kernel has the Red Hat/Ubuntu patch:  NO 
    * Kernel has mask_nospec64 (arm):  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: __user pointer sanitization)
    
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline)
    * Mitigation 1
      * Kernel is compiled with IBRS support:  YES 
        * IBRS enabled and active:  NO 
      * Kernel is compiled with IBPB support:  YES 
        * IBPB enabled and active:  NO 
    * Mitigation 2
      * Kernel has branch predictor hardening (arm):  NO 
      * Kernel compiled with retpoline option:  YES 
        * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
    > STATUS:  NOT VULNERABLE  (Full retpoline is mitigating the vulnerability)
    IBPB is considered as a good addition to retpoline for Variant 2 mitigation, but your CPU microcode doesn't support it
    
    CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
    * Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
    * Kernel supports Page Table Isolation (PTI):  YES 
      * PTI enabled and active:  YES 
      * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
    * Running as a Xen PV DomU:  NO 
    > STATUS:  NOT VULNERABLE  (Mitigation: PTI)
    
    CVE-2018-3640 [rogue system register read] aka 'Variant 3a'
      * CPU microcode mitigates the vulnerability:  UNKNOWN  (an up to date microcode is sufficient to mitigate this vulnerability, detection will be implemented soon)
    > STATUS:  VULNERABLE  (a new microcode will mitigate this vulnerability)
    
    CVE-2018-3639 [speculative store bypass] aka 'Variant 4'
      * Kernel supports speculation store bypass:  NO 
    > STATUS:  VULNERABLE  (Neither your CPU nor your kernel support SSBD)
    
    > How to fix: You need to update your CPU microcode and use a more recent kernel to provide the necessary mitigation tools to the software running on your machine
    
    A false sense of security is worse than no security at all, see --disclaimer
    
    Code:
    # pveversion -v
    proxmox-ve: 5.2-2 (running kernel: 4.15.17-1-pve)
    pve-manager: 5.2-1 (running version: 5.2-1/0fcd7879)
    pve-kernel-4.15: 5.2-1
    pve-kernel-4.15.17-1-pve: 4.15.17-9
    corosync: 2.4.2-pve5
    criu: 2.11.1-1~bpo90
    glusterfs-client: 3.8.8-1
    ksm-control-daemon: 1.2-2
    libjs-extjs: 6.0.1-2
    libpve-access-control: 5.0-8
    libpve-apiclient-perl: 2.0-4
    libpve-common-perl: 5.0-31
    libpve-guest-common-perl: 2.0-16
    libpve-http-server-perl: 2.0-8
    libpve-storage-perl: 5.0-23
    libqb0: 1.0.1-1
    lvm2: 2.02.168-pve6
    lxc-pve: 3.0.0-3
    lxcfs: 3.0.0-1
    novnc-pve: 0.6-4
    openvswitch-switch: 2.7.0-2
    proxmox-widget-toolkit: 1.0-18
    pve-cluster: 5.0-27
    pve-container: 2.0-23
    pve-docs: 5.2-4
    pve-firewall: 3.0-8
    pve-firmware: 2.0-4
    pve-ha-manager: 2.0-5
    pve-i18n: 1.0-5
    pve-libspice-server1: 0.12.8-3
    pve-qemu-kvm: 2.11.1-5
    pve-xtermjs: 1.0-5
    pve-zsync: 1.6-15
    qemu-server: 5.0-26
    smartmontools: 6.5+svn4324-1
    spiceterm: 3.0-5
    vncterm: 1.5-3
    zfsutils-linux: 0.7.8-pve1~bpo9

    And I have another problem with Windows. How to turn on Spectre protection inside Windows VM?
     
  12. Alessandro 123

    Joined:
    May 22, 2016
    Messages:
    594
    Likes Received:
    19
    One question: should i use "intel-microcode" coming from Debian or proxmox provide it's own?
     
  13. bady

    bady New Member

    Joined:
    Jul 28, 2014
    Messages:
    10
    Likes Received:
    1
    Proxmox provides no microcode as far as I know. You get it from debian or intel
     
  14. wolfgang

    wolfgang Proxmox Staff Member
    Staff Member

    Joined:
    Oct 1, 2014
    Messages:
    4,598
    Likes Received:
    306
    If you Hardware Vendor does not provide Bios with current microcode you should install the microcode.
    But anyway the microcode from the deb package will only apply if the version in the package is newer than the bios one.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Humbug

    Humbug Member

    Joined:
    Nov 14, 2012
    Messages:
    30
    Likes Received:
    1
    I installed latest BIOS and intel-microcode package. Can i still use "noibrs noibpb" kernel parameters to disable these functions? Or do i have to downgrade BIOS again?
     
  16. chrcoluk

    chrcoluk New Member

    Joined:
    Oct 7, 2018
    Messages:
    11
    Likes Received:
    1
    the kernel parameters will work to override the behaviour.
     
    Humbug likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice