Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    Ufff, so finally better not parching proxmox kernel????
     
  2. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    the Proxmox kernel is still patched. Only the VM has against the old kernel
     
  3. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    Hope that the next week I will be able to test proxmox new kernel with VM new kernel also...
     
  4. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    All our VM are centos7/cloudlinux7 in our case.
     
  5. nttec

    nttec Member

    Joined:
    Jun 1, 2016
    Messages:
    38
    Likes Received:
    0
    I tried to upgrade with this

    Code:
    apt update && apt dist-upgrade
    and end up with this result

    Code:
    Ign:1 http://ftp.us.debian.org/debian stretch InRelease
    
    Hit:2 http://ftp.us.debian.org/debian stretch Release
    
    Ign:4 https://enterprise.proxmox.com/debian/pve stretch InRelease                 
    
    Err:5 https://enterprise.proxmox.com/debian/pve stretch Release
    
      401  Unauthorized
    
    Hit:6 http://security.debian.org stretch/updates InRelease
    
    Reading package lists... Done
    
    E: The repository 'https://enterprise.proxmox.com/debian/pve stretch Release' does not have a Release file.
    
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    
    
    is there something that I am doing wrong with this?

    my current version is
    Code:
    Linux prox01 4.10.15-1-pve #1 SMP PVE 4.10.15-15
     
  6. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    https://pve.proxmox.com/wiki/Package_Repositories#_proxmox_ve_no_subscription_repository
     
  7. nttec

    nttec Member

    Joined:
    Jun 1, 2016
    Messages:
    38
    Likes Received:
    0
    is it possible to do an upgrade from stretch to jessie or wheezy?

    Code:
    
    Err:3 http://download.proxmox.com/debian/pve jessie InRelease
    
      The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C23AC7F49887F95A
    
    Reading package lists... Done
    
    W: GPG error: http://download.proxmox.com/debian/pve jessie InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY C23AC7F49887F95A
    
    E: The repository 'http://download.proxmox.com/debian/pve jessie InRelease' is not signed.
    
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    
    N: See apt-secure(8) manpage for repository creation and user configuration details.
    
    
     
  8. udo

    udo Well-Known Member
    Proxmox Subscriber

    Joined:
    Apr 22, 2009
    Messages:
    5,845
    Likes Received:
    159
    Hi,
    from stretch to jessie was an downgrade and not an update - and no, it's not really possible (except you are know very very good what you are doing). In this case use an new installation!

    But this looks more, that you use "http://download.proxmox.com/debian/pve jessie" instead of "http://download.proxmox.com/debian/pve stretch", or which pveversion do you have?!

    Udo
     
  9. nttec

    nttec Member

    Joined:
    Jun 1, 2016
    Messages:
    38
    Likes Received:
    0
    Just trying things on this, I am still new with proxmox and wanted to learn more about. thx for the input.
     
  10. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,642
    Likes Received:
    420
    Please do not add unrelated questions, instead open a new thread for new questions.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,390
    Likes Received:
    523
    did you pass the PCID flag to your VM? otherwise, a big performance loss / load increase is expected..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    Fabian, PCID is not since 4.14 kernel?
     
  13. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,390
    Likes Received:
    523
    I sure hope that most distros followed the upstream stable maintainers and backported PCID support along with KPTI.. Debian did for 3.16 in Jessie and 4.9 in Stretch..
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
  15. rkl

    rkl New Member

    Joined:
    Sep 21, 2014
    Messages:
    18
    Likes Received:
    2
    We have some fairly old Dell PowerEdge servers (just about in warranty) that haven't had BIOS updates in over a year . so I suspect they won't get a BIOS update for Meltdown/Spectre. I was wondering if adding the intel-microcode package from the non-free Debian repo would help (assuming that's the one that will get Meltdown/Spectre fixes in the near future - Intel released new microcode on 8th Jan, but intel-microcode is dated 20170707 at the moment).
     
  16. EuroDomenii

    EuroDomenii Member
    Proxmox Subscriber

    Joined:
    Sep 30, 2016
    Messages:
    102
    Likes Received:
    15
    You could manually install the latest package, according to https://forum.proxmox.com/threads/meltdown-and-spectre-for-newbie.39183/#post-194316

    Depending on cpu, it could work or not. I have tried on both Jessie and Stretch, but not production servers and without performance benchmarks.

    WORKING
    Code:
    # dpkg -l | grep intel-microcode
    ii  intel-microcode                        3.20180108.1                       amd64        Processor microcode firmware for Intel CPUs
    #dmesg | grep microcode
    [    0.000000] microcode: CPU0 microcode updated early to revision 0xc2, date = 2017-11-16
    # ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.29
    
    Checking for vulnerabilities against running kernel Linux 4.4.98-4-pve #1 SMP PVE 4.4.98-104 (Mon, 15 Jan 2018 09:34:49 +0100) x86_64
    CPU is Intel(R) Xeon(R) CPU E3-1275 v5 @ 3.60GHz
    
    ....
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  YES
    *   Kernel support for IBRS:  YES
    *   IBRS enabled for Kernel space:  YES
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  NOT VULNERABLE  (IBRS mitigates the vulnerability)
    ....
    
    NOT WORKING
    Code:
    
    # dmesg | grep microcode
    [    0.000000] microcode: microcode updated early to revision 0x1c, date = 2015-02-26
    # ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.31
    
    Checking for vulnerabilities against running kernel Linux 4.13.13-5-pve #1 SMP PVE 4.13.13-36 (Mon, 15 Jan 2018 12:36:49 +0100) x86_64
    CPU is Intel(R) Xeon(R) CPU E3-1220 V2 @ 3.10GHz
    
    VE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation
    *     The SPEC_CTRL MSR is available:  NO
    *     The SPEC_CTRL CPUID feature bit is set:  NO
    *   Kernel support for IBRS:  YES
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    NOT WORKING
    Code:
    # dpkg -l | grep microcode
    ii  intel-microcode                    3.20180108.1                         amd64        Processor microcode firmware for Intel CPUs
    # dmesg | grep microcode
    [    0.000000] microcode: CPU0 microcode updated early to revision 0x19, date = 2013-06-21
    # ./spectre-meltdown-checker.sh
    Spectre and Meltdown mitigation detection tool v0.29
    
    Checking for vulnerabilities against running kernel Linux 4.4.98-4-pve #1 SMP PVE 4.4.98-104 (Mon, 15 Jan 2018 09:34:49 +0100) x86_64
    CPU is Intel(R) Core(TM) i7 CPU 950 @ 3.07GHz
    ...
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    * Mitigation 1
    *   Hardware (CPU microcode) support for mitigation:  NO
    *   Kernel support for IBRS:  YES
    *   IBRS enabled for Kernel space:  NO
    *   IBRS enabled for User space:  NO
    * Mitigation 2
    *   Kernel compiled with retpoline option:  NO
    *   Kernel compiled with a retpoline-aware compiler:  NO
    > STATUS:  VULNERABLE  (IBRS hardware + kernel support OR kernel with retpoline are needed to mitigate the vulnerability)
    
    But, I repeat, those are not production servers, they have booted all right, I didn't notice obvious issues. But, everybody says they are unstable, and are waiting for retpoline mitigation.
     
  17. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    Actually, I think that I will parshes my proxmox HOST with last proxmox kernel and the same with each VM en centos7, but I will no install dell bios or microcode for variant2... I know that the still an risk of security, but can't give an bad performance service to our client solving the variant2... it's not an solution in our case. The 2 solution are bad (or performance or security risk), but bad performance means that all client go to other proveedor...
     
  18. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    I'm waiting for retpoline integration in ubuntu kernel, seem to be faster to fix variant2.
     
  19. U.Muz

    U.Muz New Member
    Proxmox Subscriber

    Joined:
    Jan 18, 2018
    Messages:
    3
    Likes Received:
    0
    Hi all,
    I understood that there is still a long way to go until we overcome this mess with Meltdown and Spectra which obviously is not the fault of Proxmox developer. My regards to all Proxmox stuff member I am sure you are doing the best to keep us safe as possible. Keep up the great work !

    Well I updated my Proxmox 4.x Host to the newest Kenrnel and updates available and actually was lucky to have no problem with that. Mashine is fine und nothing negative to report. The Server has a Intel Xeon E3-1245 so I also got the Option to turn PCID on after Update was done but which is still off right now.

    My Question is : Do I have to turn it on to be protected against Meltdown ? I have no loss of CPU Load after Update so I did not turn it on.
    Did I correctly understand that this would only (if) protect the VM running on the Host but not actually protect the Proxmox Host (Node) itself ?
     
  20. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    Do you have also updated your VM kernels? or only your HOST kernel? If your VM have "host" cpu configuration, no need to pass this option, it only needed if you have other cpu type configurated.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice