Meltdown and Spectre Linux Kernel fixes

May 20, 2016
59
2
28
27
Hi,

Here is a newbie question.
Are proxmox updates self-suffisant to protect against meltdown and spectre or it is necessary to install intel microcode from debian repository ?
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,103
629
133
PVE updates are enough to fix Meltdown. the Spectre fixes / mitigations are still in preparation, the first round will likely only support CPUs with updated microcodes, a later iteration will then have the fallback for all CPUs. check the changelogs once they are available.
 

speedbird

Member
Nov 3, 2017
45
4
8
Installed the updates from pve-enterprise with active subscription but there's no checkbox for PCID anywhere to be seen. What did I do wrong?
 

stef1777

Member
Jan 31, 2010
178
8
18
Hi!

Compatibility and stability problems with mitigation codes continue and rise.

Spectre and Meltdown patches causing trouble as realistic attacks get closer
https://arstechnica.com/gadgets/201...sing-trouble-as-realistic-attacks-get-closer/

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds
https://www.theregister.co.uk/2018/01/15/solarwinds_aws_meltdown_fix_analysis/

Meltdown-Spectre: More businesses warned off patching over stability issues
http://www.zdnet.com/article/meltdo...es-warned-off-patching-over-stability-issues/
 
  • Like
Reactions: EuroDomenii

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,103
629
133
there are new kernel versions for both 4.4 and 5.1 available:

pve-kernel (4.13.13-36) unstable; urgency=medium

* cherry-pick (partial) SPECTRE fixes for CPUs supporting IBRS/IBPB
* follow-up fixes for KPTI
pve-kernel (4.4.98-104) unstable; urgency=medium

* cherry-pick (partial) SPECTRE fixes for CPUs supporting IBRS/IBPB
* follow-up fixes for KPTI
most of the SPECTRE fixes require having a compatible CPU microcode update enabling IBRS/IBPB support.

updated pve-qemu-kvm packages which allows passing the spec-ctrl CPU flag to guest VMs are also available in pve-no-subscription (this only works for VMs with CPU type 'host' at the moment, updated qemu-server and pve-manager packages which allow setting this CPU flag for other CPU types are in the works).
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,103
629
133
I didn't read here Windows, so PCID has only effect with linux vm's?
you'd have to ask Microsoft to know how they implemented their Meltdown mitigation, and whether they use PCID to limit the performance impact..
 

bladux

New Member
Nov 7, 2016
28
0
1
37
Hi,

Any idea of when the patched kernels will leave pvetest ? 'Kinda worried to switch to pvetest on production servers...
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,103
629
133
Hi,

Any idea of when the patched kernels will leave pvetest ? 'Kinda worried to switch to pvetest on production servers...
the latest round of kernel updates are available up to pve-no-subscription, the Meltdown / KPTI kernels are in pve-enterprise already for a while.
 

bladux

New Member
Nov 7, 2016
28
0
1
37
I'm on pve-entreprise, I see the pve-manager and qemu-server upgrades.

I must have missed something but is it worth installing without installing a patched kernel ? (If new kernels leaves the pvetest/pve-no-subscription zone to a stable one soon, then I probably should wait and install all at once).
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
4,103
629
133
I'm on pve-entreprise, I see the pve-manager and qemu-server upgrades.

I must have missed something but is it worth installing without installing a patched kernel ? (If new kernels leaves the pvetest/pve-no-subscription zone to a stable one soon, then I probably should wait and install all at once).
there have been two rounds of pve-manager and qemu-server packages, so yes - the ones in pve-enterprise match the kernel and pve-qemu in pve-enterprise, the later ones match later updates. we always move packages such that they match (e.g., a pve-manager package exposing a new feature should never be available without the backend package that provides the feature).
 

scaa

Active Member
Nov 20, 2015
123
2
38
load.png

Host:
4.13.13-3-pve #1 SMP PVE 4.13.13-34 (Sun, 7 Jan 2018 13:19:58 +0100) x86_64 GNU/Linux
1x Intel Xeon E3-1240v6
Supermicro X11SSL-F
16GB ECC DDR-4
Adaptec 8405 RAID Controller
2x Samsung SM863 SSD with Raid-1

only one VM:
3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
KVM, Debian 8

After that we install again tho old kernel...
3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!