it's available in pve-enterprise now.
Right now, there are no public patches to KVM that expose the new CPUID bits and MSRs to the virtual machines, therefore there is no urgent need to update QEMU; remember that updating the host kernel is enough to protect the host from malicious guests. Nevertheless, updates will be posted to the qemu-devel mailing list in the next few days, and a 2.11.1 patch release will be released with the fix.
I am wondering why the +pcid is not added to KVM boot.
I have done some testing with updated linux kernels, without this parameter the new patched Debian 9 Kernels are much slower compared to if +pcid is added for starting kvm.
-cpu SandyBridge,+pcid,+kvm_pv_unhalt,+kvm_pv_eoi,enforce,vendor=GenuineIntel -m 8192
vs
-cpu SandyBridge,+kvm_pv_unhalt,+kvm_pv_eoi,enforce,vendor=GenuineIntel
If cpu "host" or default is used, pcid is added to the guest system, but migrating between different HW Servers (HP gen8, gen9 and gen10) is not working anymore.
I would suggest adding +pcid for starting kvm
@fabian I know that all we HAVE to upgrade kernel, but because there is a lot of KVM in some production HOST, it's dificult for us to do it yet and had to wait sometime more. The question is, if all KVM are updated and noone have access to GUI / ssh host proxmox, I understand that risk is very limited about the HOST server as none of guest will can use the vulnerabilitie?
We just published new kernels for Proxmox VE 4.x and 5.x, addressing Meltdown and Spectre in the kernel.
Please upgrade your Proxmox VE hosts via "apt update && apt dist-upgrade".
Proxmox VE 5.x: pve-kernel (4.13.13-34)
-- Proxmox Support Team <support@proxmox.com> Sun, 7 Jan 2018 13:19:58 +0100
- cherry-pick / backport of KPTI / Meltdown fixes (from Ubuntu-4.13.0-23.25)
- add Google Spectre PoC fix for KVM
- fix objtool build regression
Proxmox VE 4.x: pve-kernel (4.4.98-102)
-- Proxmox Support Team <support@proxmox.com> Sun, 7 Jan 2018 13:15:19 +0100
- cherry-pick / backport of KPTI / Meltdown fix (based on Ubuntu-4.4.0-107.130)
- add Google Spectre PoC fix for KVM
__________________
Best regards,
Martin Maurer
Proxmox VE project leader
Which host CPU, Intel, ARM or AMD?Warning: the first kit (PoC) for Spectre 2 is out. Say to run on one KVM and can read memory of other KVM on same host.
For me unfortunately not
can anyone suggest what I am do wrong?
Dell PowerEdge M630
Dell PowerEdge M630
# dmidecode | grep 630
Product Name: PowerEdge M630
SKU Number: SKU=NotProvided;ModelName=PowerEdge M630
at same time same model with kernel 102 have not such problems
# dmidecode | grep 630
Product Name: PowerEdge M630
SKU Number: SKU=NotProvided;ModelName=PowerEdge M630
# uname -a
Linux proxmox18 4.4.98-3-pve #1 SMP PVE 4.4.98-102 (Sun, 7 Jan 2018 13:15:19 +0100) x86_64 GNU/Linux
# dmesg | grep "User page tables isolation"
[ 0.000000] Kernel/User page tables isolation: enabled