Meltdown and Spectre Linux Kernel fixes

Jan 18, 2018
3
0
1
Do you have also updated your VM kernels? or only your HOST kernel? If your VM have "host" cpu configuration, no need to pass this option, it only needed if you have other cpu type configurated.
Hi Sebastian, thanks for your reply! Actually I have only one VM running. This has KVM64 as CPU (default) configuration. PCID is not set. The VM hosts a UCS system which has already updated their part of Linux against Meltdown.
 

sommarnatt

New Member
Mar 20, 2014
22
0
1
Sweden
If the kernel for your UCS system has backported PCID support, then it might have less of a performance impact with PCID on in proxmox.

Hi Sebastian, thanks for your reply! Actually I have only one VM running. This has KVM64 as CPU (default) configuration. PCID is not set. The VM hosts a UCS system which has already updated their part of Linux against Meltdown.
 
Nov 20, 2015
106
2
18
OK, but with Debain Jessie the kernel is
3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux

what is here the best solution?
CPU-Type = Standard(KVM64) or "host"
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,390
523
113
yes.
And you need a recent kernel in your vm too (>=4.14), to have the benefit of PCID
or one which has the backport, which should be all or most of the Linux distro kernels which were updated to support KPTI/KAISER.
 
Nov 20, 2015
106
2
18
and guests with Standard Debian Stretch?
4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

Set CPU-type to "host" or "kvm64"?
 

Sich

New Member
Jan 8, 2018
6
0
1
38
You can check your server with that : <edit> I can't post external link...</edit>
It's called specte-meltdown-checker on github..

At the moment with the last kernel on Proxmox 5 (4.13.13-5) we are protected against spectre variant 1 and meltdown...
But spectre variant 2 is still open.
 

Attachments

tom

Proxmox Staff Member
Staff member
Aug 29, 2006
13,646
420
83
You can check your server with that : <edit> I can't post external link...</edit>
It's called specte-meltdown-checker on github..

At the moment with the last kernel on Proxmox 5 (4.13.13-5) we are protected against spectre variant 1 and meltdown...
But spectre variant 2 is still open.
You missed to install bios updates on your mainboard and/or install latest Intel Microcode updates (get them from https://packages.debian.org/buster/intel-microcode)
 
  • Like
Reactions: chrone

Sich

New Member
Jan 8, 2018
6
0
1
38
Thx, I have this package, I will make some test to see if I can install this on my production server.
This is probably useless on VM ?

There is no problem to install this package ? I loan my server with OVH.
 
Last edited:

pakradm

New Member
Oct 24, 2016
14
0
1
29
QEMU said in their site that "Meltdown flaw does not allow a malicious guest to read the contents of hypervisor memory".
If I don't use LXC containers, can I disable KPTI to improve performance?

Ref: qemu.org/2018/01/04/spectre/
 

fabian

Proxmox Staff Member
Staff member
Jan 7, 2016
3,390
523
113
QEMU said in their site that "Meltdown flaw does not allow a malicious guest to read the contents of hypervisor memory".
If I don't use LXC containers, can I disable KPTI to improve performance?

Ref: qemu.org/2018/01/04/spectre/
not a good idea, because every other HOST user space code that might get exploited by an attacker or run by an otherwise unprivileged user can still dump the whole memory without KPTI.
 

pakradm

New Member
Oct 24, 2016
14
0
1
29
not a good idea, because every other HOST user space code that might get exploited by an attacker or run by an otherwise unprivileged user can still dump the whole memory without KPTI.
Dear Fabian,

Can you explain me more? Because I don't use proxmox server for anything than virtualization & nobody(except me) can't login into server.
And another question is can privileged LXC containers also can dump whole proxmox server memory?

Thanks
 
Nov 3, 2017
45
4
8
Can you explain me more? Because I don't use proxmox server for anything than virtualization & nobody(except me) can't login into server.
And another question is can privileged LXC containers also can dump whole proxmox server memory?
First... It is never advisable to have known security issues not addressed. Although physically you might be the only one having access, not fixing those issues will leave an open door to malicious software you might install knowing or unknowingly from bad sources. So not securing the server might still be a bad idea. Except your Proxmox isn't even connected to the internet in some way but I doubt that.

Second... Well, my understanding is, that for LXC containers it is even more problematic to not fix the problem as they share the hosts kernel afaik. So if the host is vulnerable to Meltdown and Spectre attacks, so will be your LXC containers. Due to the nature of sharing the same kernel with the host, LXC containers are all but isolated.
 

Mecanik

Member
Mar 2, 2017
77
2
8
28
So basically I applied the latest kernel updates for promox 4.4 on 2 nodes, and it was a complete mess....

Having only windows kvm instances, have tried only “host” without PCID, have also tried “kvm64” with PCID, it was of no use.

Some machines running windows server 2012 r2 either fail to run and give BSOD, either they start and it disconnects/crashes all the time.

If anyone has some suggestions or advices, I would appreciate it.
 

Alwin

Proxmox Staff Member
Staff member
Aug 1, 2017
2,572
222
63
So basically I applied the latest kernel updates for promox 4.4 on 2 nodes, and it was a complete mess....

Having only windows kvm instances, have tried only “host” without PCID, have also tried “kvm64” with PCID, it was of no use.

Some machines running windows server 2012 r2 either fail to run and give BSOD, either they start and it disconnects/crashes all the time.

If anyone has some suggestions or advices, I would appreciate it.
Are your windows machines up-to-date? Maybe you are missing a patch?
https://support.microsoft.com/en-us/help/4073757/protect-your-windows-devices-against-spectre-meltdown
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!