Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. Xabi

    Xabi New Member

    Joined:
    Apr 25, 2016
    Messages:
    5
    Likes Received:
    0
    Version 103 fixes
    Version 103 fixed it!

    Thanks :)
     
  2. carles89

    carles89 Member
    Proxmox Subscriber

    Joined:
    May 27, 2015
    Messages:
    49
    Likes Received:
    2
    Fixed too on Fujitsu Primergy TX140 S2.

    Thank you!
     
  3. sommarnatt

    sommarnatt New Member

    Joined:
    Mar 20, 2014
    Messages:
    22
    Likes Received:
    0
    https://www.qemu.org/2018/01/04/spectre/
    https://lists.nongnu.org/archive/html/qemu-devel/2018-01/msg01386.html

     
  4. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    @fabian I know that all we HAVE to upgrade kernel, but because there is a lot of KVM in some production HOST, it's dificult for us to do it yet and had to wait sometime more. The question is, if all KVM are updated and noone have access to GUI / ssh host proxmox, I understand that risk is very limited about the HOST server as none of guest will can use the vulnerabilitie?
     
    #44 Sebastian2000, Jan 9, 2018
    Last edited: Jan 9, 2018
  5. sommarnatt

    sommarnatt New Member

    Joined:
    Mar 20, 2014
    Messages:
    22
    Likes Received:
    0
    You should at the very least patch Meltdown, as it is the easiest one to "use". So that means patching guest, rebooting it.

    Spectre needs microcode update, intel has release some already to certain companies like HP, Dell, Supermicro and they've created bios updates for some cpus / servers. It will probably be release to microcode-intel package soon, so you can patch it through the OS. It also means another reboot though afaik.

    Spectre PoC from Google was mitigated afaik with the Patch from Proxmox (kudos, good job) and if you have a cluster of Proxmox servers with shared storage (think Ceph, SANs etc) you can just move the guests around, reboot hosts as you like.
     
  6. sommarnatt

    sommarnatt New Member

    Joined:
    Mar 20, 2014
    Messages:
    22
    Likes Received:
    0
  7. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    Meltdown available on Jessie.

    No yet tried.

    Get:1 http://security.debian.org/ jessie/updates/main linux-image-amd64 amd64 3.16+63+deb8u1 [5,844 B]
    Get:2 http://security.debian.org/ jessie/updates/main linux-image-3.16.0-5-amd64 amd64 3.16.51-3+deb8u1 [34.0 MB]
    Get:3 http://httpredir.debian.org/debian/ jessie/main libnuma1 amd64 2.0.10-1 [32.5 kB]
    Get:4 http://httpredir.debian.org/debian/ jessie/main firmware-linux-free all 3.3 [19.1 kB]
    Get:5 http://httpredir.debian.org/debian/ jessie/main irqbalance amd64 1.0.6-3+deb8u1 [31.2 kB]
     
  8. JOduMonT

    JOduMonT New Member

    Joined:
    Jan 20, 2016
    Messages:
    16
    Likes Received:
    0
    this will tell you if you're kernel is patched :

    dmesg | grep "Kernel/User page tables isolation: enabled" && echo "patched :)" || echo "unpatched :("
    found on : askubuntu / questions /992137 / how-to-check-that-kpti-is-enabled-on-my-ubuntu

    for non paying user (non entreprise) you need to active the pve-no-subscription repo before the 'apt update && apt dist-upgrade'
    in /etc/apt/source.list you must have something like :
    deb http://download.proxmox.com/debian/pve stretch pve-no-subscription
    replace stretch by jessie or wheezy to reflect your version; as you must know

    also if you patch your kernel with KPTI and try cat /proc/cpuinfo | grep bugs
    you must see one cpu_insecure per core
    this is scary and sad but that means the KPTI patch is applied.



     
  9. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    Warning: the first kit (PoC) for Spectre 2 is out. Say to run on one KVM and can read memory of other KVM on same host.
     
    #49 stef1777, Jan 9, 2018
    Last edited: Jan 9, 2018
  10. mir

    mir Well-Known Member
    Proxmox Subscriber

    Joined:
    Apr 14, 2012
    Messages:
    3,481
    Likes Received:
    96
    Which host CPU, Intel, ARM or AMD?
     
  11. JOduMonT

    JOduMonT New Member

    Joined:
    Jan 20, 2016
    Messages:
    16
    Likes Received:
    0
    actually a easy to understand status is provided by OVH
    @ docs.ovh.com/fr/dedicated/meltdown-spectre-kernel-update-per-operating-system/

    so mostly Meltdown could be patched
    when Spectre still a vulnerability for most OS
     
  12. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
  13. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    Can someone suggest why new 103 kernel (previous one 102 have it) have not KPTI patch:

    # uname -a
    #1 SMP PVE 4.4.98-103 (Mon, 8 Jan 2018 10:15:44 +0100) x86_64 GNU/Linux
    # dmesg | grep "page tables isolation"
    # dmesg |grep iso
    #
     
  14. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    Works for me with PVE 4.x.

    # dmesg | grep "User page tables isolation"
    [ 0.000000] Kernel/User page tables isolation: enabled

    # pveversion -v
    proxmox-ve: 4.4-103 (running kernel: 4.4.98-3-pve)
    pve-manager: 4.4-20 (running version: 4.4-20/2650b7b5)
    pve-kernel-4.4.98-2-pve: 4.4.98-101
    pve-kernel-4.4.98-3-pve: 4.4.98-103
    pve-kernel-4.4.95-1-pve: 4.4.95-99
    lvm2: 2.02.116-pve3
    corosync-pve: 2.4.2-2~pve4+1
    libqb0: 1.0.1-1
    pve-cluster: 4.0-54
    qemu-server: 4.0-113
    pve-firmware: 1.1-11
    libpve-common-perl: 4.0-96
    libpve-access-control: 4.0-23
    libpve-storage-perl: 4.0-76
    pve-libspice-server1: 0.12.8-2
    vncterm: 1.3-2
    pve-docs: 4.4-4
    pve-qemu-kvm: 2.9.1-5~pve4
    pve-container: 1.0-104
    pve-firewall: 2.0-33
    pve-ha-manager: 1.0-41
    ksm-control-daemon: 1.2-1
    glusterfs-client: 3.5.2-2+deb8u3
    lxc-pve: 2.0.7-4
    lxcfs: 2.0.6-pve1
    criu: 1.6.0-1
    novnc-pve: 0.5-9
    smartmontools: 6.5+svn4324-1~pve80
     
  15. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    For me unfortunately not

    # dmesg | grep "User page tables isolation"
    # pveversion -v
    proxmox-ve: 4.4-103 (running kernel: 4.4.98-3-pve)
    pve-manager: 4.4-20 (running version: 4.4-20/2650b7b5)
    pve-kernel-4.4.98-3-pve: 4.4.98-103
    pve-kernel-4.4.59-1-pve: 4.4.59-87
    pve-kernel-4.4.95-1-pve: 4.4.95-99
    pve-kernel-4.4.67-1-pve: 4.4.67-92
    pve-kernel-4.4.49-1-pve: 4.4.49-86
    pve-kernel-4.4.62-1-pve: 4.4.62-88
    lvm2: 2.02.116-pve3
    corosync-pve: 2.4.2-2~pve4+1
    libqb0: 1.0.1-1
    pve-cluster: 4.0-54
    qemu-server: 4.0-113
    pve-firmware: 1.1-11
    libpve-common-perl: 4.0-96
    libpve-access-control: 4.0-23
    libpve-storage-perl: 4.0-76
    pve-libspice-server1: 0.12.8-2
    vncterm: 1.3-2
    pve-docs: 4.4-4
    pve-qemu-kvm: 2.9.1-5~pve4
    pve-container: 1.0-104
    pve-firewall: 2.0-33
    pve-ha-manager: 1.0-41
    ksm-control-daemon: 1.2-1
    glusterfs-client: 3.5.2-2+deb8u3
    lxc-pve: 2.0.7-4
    lxcfs: 2.0.6-pve1
    criu: 1.6.0-1
    novnc-pve: 0.5-9
    smartmontools: 6.5+svn4324-1~pve80
    openvswitch-switch: 2.6.0-2

    can anyone suggest what I am do wrong?
     
  16. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    Could you please specify the brand/model of hardware server?
     
  17. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    Dell PowerEdge M630

    # dmidecode | grep 630
    Product Name: PowerEdge M630
    SKU Number: SKU=NotProvided;ModelName=PowerEdge M630

    at same time same model with kernel 102 have not such problems

    # dmidecode | grep 630
    Product Name: PowerEdge M630
    SKU Number: SKU=NotProvided;ModelName=PowerEdge M630
    # uname -a
    Linux proxmox18 4.4.98-3-pve #1 SMP PVE 4.4.98-102 (Sun, 7 Jan 2018 13:15:19 +0100) x86_64 GNU/Linux
    # dmesg | grep "User page tables isolation"
    [ 0.000000] Kernel/User page tables isolation: enabled
     
  18. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
  19. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,299
    Likes Received:
    508
    same model, or same system? what does /proc/cpuinfo contain on both hosts? there is nothing in the diff between -102 and -103 that should cause this, and the only way in our 4.4 kernel to silently disable pti is if the kernel detects it is booted as PV XEN guest..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    Same models and same systems, severs also have same CPU

    103 kernel - 32 x Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz (2 Sockets)
    102 kernel - 32 x Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.10GHz (2 Sockets)

    /proc/cpuinfo have differences only for CPU frequency

    # diff 102.txt /root/103.txt
    8c8
    < cpu MHz : 1872.773
    ---
    > cpu MHz : 2474.718
    22c22
    < bogomips : 4190.35
    ---
    > bogomips : 4190.21
    ....
    < cpu MHz : 2628.445
    ---
    > cpu MHz : 2366.601
    859c859
    < bogomips : 4191.63
    ---
    > bogomips : 4191.45

    Also server not "booted as PV XEN guest", because this is physical servers, dmidecode also show this.
    Related to bios version

    103 kernel:
    BIOS Version 2.4.2
    Firmware Version 2.50.50.50
    Lifecycle Controller Firmware 2.50.50.50

    102 kernel:
    BIOS Version 2.4.2
    Firmware Version 2.50.50.50
    Lifecycle Controller Firmware 2.50.50.50

    so as you can see servers have same hardware/os except kernel.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice