Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. U.Muz

    U.Muz New Member
    Proxmox Subscriber

    Joined:
    Jan 18, 2018
    Messages:
    3
    Likes Received:
    0
    Hi Sebastian, thanks for your reply! Actually I have only one VM running. This has KVM64 as CPU (default) configuration. PCID is not set. The VM hosts a UCS system which has already updated their part of Linux against Meltdown.
     
  2. sommarnatt

    sommarnatt New Member

    Joined:
    Mar 20, 2014
    Messages:
    22
    Likes Received:
    0
    If the kernel for your UCS system has backported PCID support, then it might have less of a performance impact with PCID on in proxmox.

     
  3. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    what do I have to do to adjust this?
     
  4. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    If the host supports PCID, than the VM must be set like this?

    vm.png
     
  6. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    yes.
    And you need a recent kernel in your vm too (>=4.14), to have the benefit of PCID
     
  7. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    OK, but with Debain Jessie the kernel is
    3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux

    what is here the best solution?
    CPU-Type = Standard(KVM64) or "host"
     
  8. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    or one which has the backport, which should be all or most of the Linux distro kernels which were updated to support KPTI/KAISER.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. scaa

    scaa Member
    Proxmox Subscriber

    Joined:
    Nov 20, 2015
    Messages:
    106
    Likes Received:
    2
    and guests with Standard Debian Stretch?
    4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

    Set CPU-type to "host" or "kvm64"?
     
  10. Sebastian2000

    Sebastian2000 Member

    Joined:
    Oct 31, 2017
    Messages:
    80
    Likes Received:
    1
    How we can know it? last centos7 kernel have it?
     
  11. Sich

    Sich New Member

    Joined:
    Jan 8, 2018
    Messages:
    6
    Likes Received:
    0
    You can check your server with that : <edit> I can't post external link...</edit>
    It's called specte-meltdown-checker on github..

    At the moment with the last kernel on Proxmox 5 (4.13.13-5) we are protected against spectre variant 1 and meltdown...
    But spectre variant 2 is still open.
     

    Attached Files:

  12. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,460
    Likes Received:
    393
    You missed to install bios updates on your mainboard and/or install latest Intel Microcode updates (get them from https://packages.debian.org/buster/intel-microcode)
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chrone likes this.
  13. Sich

    Sich New Member

    Joined:
    Jan 8, 2018
    Messages:
    6
    Likes Received:
    0
    Thx, I have this package, I will make some test to see if I can install this on my production server.
    This is probably useless on VM ?

    There is no problem to install this package ? I loan my server with OVH.
     
    #153 Sich, Jan 20, 2018
    Last edited: Jan 20, 2018
  14. pakradm

    pakradm New Member

    Joined:
    Oct 24, 2016
    Messages:
    13
    Likes Received:
    0
    QEMU said in their site that "Meltdown flaw does not allow a malicious guest to read the contents of hypervisor memory".
    If I don't use LXC containers, can I disable KPTI to improve performance?

    Ref: qemu.org/2018/01/04/spectre/
     
  15. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,199
    Likes Received:
    496
    not a good idea, because every other HOST user space code that might get exploited by an attacker or run by an otherwise unprivileged user can still dump the whole memory without KPTI.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. pakradm

    pakradm New Member

    Joined:
    Oct 24, 2016
    Messages:
    13
    Likes Received:
    0
    Dear Fabian,

    Can you explain me more? Because I don't use proxmox server for anything than virtualization & nobody(except me) can't login into server.
    And another question is can privileged LXC containers also can dump whole proxmox server memory?

    Thanks
     
  17. speedbird

    speedbird Member
    Proxmox Subscriber

    Joined:
    Nov 3, 2017
    Messages:
    45
    Likes Received:
    4
    First... It is never advisable to have known security issues not addressed. Although physically you might be the only one having access, not fixing those issues will leave an open door to malicious software you might install knowing or unknowingly from bad sources. So not securing the server might still be a bad idea. Except your Proxmox isn't even connected to the internet in some way but I doubt that.

    Second... Well, my understanding is, that for LXC containers it is even more problematic to not fix the problem as they share the hosts kernel afaik. So if the host is vulnerable to Meltdown and Spectre attacks, so will be your LXC containers. Due to the nature of sharing the same kernel with the host, LXC containers are all but isolated.
     
  18. Mecanik

    Mecanik Member

    Joined:
    Mar 2, 2017
    Messages:
    75
    Likes Received:
    2
    So basically I applied the latest kernel updates for promox 4.4 on 2 nodes, and it was a complete mess....

    Having only windows kvm instances, have tried only “host” without PCID, have also tried “kvm64” with PCID, it was of no use.

    Some machines running windows server 2012 r2 either fail to run and give BSOD, either they start and it disconnects/crashes all the time.

    If anyone has some suggestions or advices, I would appreciate it.
     
  19. Alwin

    Alwin Proxmox Staff Member
    Staff Member

    Joined:
    Aug 1, 2017
    Messages:
    2,163
    Likes Received:
    191
    Are your windows machines up-to-date? Maybe you are missing a patch?
    https://support.microsoft.com/en-us...your-windows-devices-against-spectre-meltdown
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  20. Erk

    Erk Member

    Joined:
    Dec 11, 2009
    Messages:
    147
    Likes Received:
    3
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice