The situation is still not clear... In our case, we will just update guest kernel for now that not seem have performance impact but not solve all spectre variant. I will not update HOST for now, waiting to see what we really had to do or what is the better we can do to lower impact performance and increase security.Hi,
I don't know what to do right now about these fixes. A little bit afraid of performances matters after upgrading....
The situation is still not clear... In our case, we will just update guest kernel for now that not seem have performance impact but not solve all spectre variant. I will not update HOST for now, waiting to see what we really had to do or what is the better we can do to lower impact performance and increase security.
you really need to install the host kernel with KPTI if your CPU is affected - otherwise any unprivileged user / process on your host can dump the whole physical memory and become root. there are no ifs and buts here. if your CPU has PCID, the performance impact should not be too big. if your CPU does not support PCID yet, it is time to get newer HW and take the performance hit until you have it.
you have Intel to thank for that mess in particular and I am all for blaming them - but it is still you who has to take action to mitigate it, and you really should do it now.
Hello Fabian
Also if GUEST have kernel updated, HOST it's so vulnerable? I doubt to update yet HOST because for now, only 1 of 3 variant seem be solved on it.
About PCID, do you really sure that is better to enable it? Online seem proove that's not the case.
Thanks for your help.
There's a spectre variant 1 PoC around that lets you read the RAM of the host from a KVM guest. You should at least grab the latest PVE kernel with the fix for that PoC.
Also, there's microcode available already from intel for spectre, but we still need to wait for the kernel updates as well before it makes any sense.
There's a github repo with spectre/meltdown info and a script to check if you're vulnerable here. You might wanna read through the source like I did before running it
https://github.com/speed47/spectre-meltdown-checker
I don't know where you've read that PCID doesn't really help. Any links to that "proof"?
Heres' a pretty good write-up of PCID and meltdown:
http://archive.is/ma8Iw
Hello Fabian
About PCID, do you really sure that is better to enable it? Online seem proove that's not the case.
This makes a difference. In a synthetic benchmark that tests only the cost of switching into the kernel and back again, an unpatched Linux system can switch about 5.2 million times a second. Dual page tables slashes that to 2.2 million a second; dual page tables with PCID gets it back up to 3 million.
About PCID, it's the same as PTI? or it's an confusion that I have do? About PTI online seem have put graph : https://blog.online.net/2018/01/03/...e-security-flaw-impacting-arm-intel-hardware/
Hello Fabian
Also if GUEST have kernel updated, HOST it's so vulnerable? I doubt to update yet HOST because for now, only 1 of 3 variant seem be solved on it.
About PCID, do you really sure that is better to enable it? Online seem proove that's not the case.
Thanks for your help.
Warning: problems with Meltdown patched BIOS on some Dell servers (instabilities).
I've not more details.
Concern Haswell et Broadwell processors (all brand servers).
./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 4.4.98-3-pve #1 SMP PVE 4.4.98-103 (Mon, 8 Jan 2018 10:15:44 +0100) x86_64
CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: NO
> STATUS: VULNERABLE (only 35 opcodes found, should be >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaimer
./spectre-meltdown-checker.sh
Spectre and Meltdown mitigation detection tool v0.29
Checking for vulnerabilities against running kernel Linux 2.6.32-696.18.7.el6.x86_64 #1 SMP Thu Jan 4 17:31:22 UTC 2018 x86_64
CPU is Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz
CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
* Checking count of LFENCE opcodes in kernel: YES
> STATUS: NOT VULNERABLE (84 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: NO
* Kernel support for IBRS: YES
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpoline option: NO
* Kernel compiled with a retpoline-aware compiler: NO
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
CVE-2017-5754 [rogue data cache load] aka 'Meltdown' aka 'Variant 3'
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
> STATUS: NOT VULNERABLE (PTI mitigates the vulnerability)
A false sense of security is worse than no security at all, see --disclaime
Our focus has now shifted to the mitigation of CVE-2017-5753 and CVE-2017-5715 (aka Spectre / Variants 1 & 2). Microcode has been released for Intel processors (see USN-3531-1). Kernel updates will begin with releasing v4.13 for Artful 17.10 on Monday, January 15, 2018, with 16.04 to follow shortly.
This is a question :
Is this the correct way to a update a non subscription server to protect against the Vulns:
1)Enable test repo adding the following line to /etc/apt/source.list
deb http://download.proxmox.com/debian/pve stretch pvetest
2)Issue the following commands on the console:
apt update
apt dist-upgrade
3)Reboot the server
Could you confirm that all the bagage that comes in the test repo is also safe to install?
////////////////////////
The following NEW packages will be installed:
pve-kernel-4.13.13-4-pve pve-xtermjs
The following packages will be upgraded:
libnvpair1linux libpve-common-perl libpve-guest-common-perl libpve-http-server-perl libpve-storage-perl libuutil1linux libzfs2linux
libzpool2linux lxc-pve lxcfs proxmox-ve pve-cluster pve-container pve-docs pve-firewall pve-ha-manager pve-kernel-4.13.4-1-pve
pve-manager pve-qemu-kvm qemu-server spiceterm spl vncterm zfs-initramfs zfsutils-linux
25 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 120 MB of archives.
//////////////////////
Hi everyone,
Can you explain why PCID have to be checked for all those different from 'host' cpu type ?
Is that true that if we upgrade Bios and Intel microcode, PTI is not needed ?
Thanks in advanced !
Thanks, seems that Dell update bios is quite unstable by now
And Stretch Intel microcode update is not available, what we have is an old version 2017 May...