Meltdown and Spectre Linux Kernel fixes

Discussion in 'Proxmox VE: Installation and configuration' started by martin, Jan 7, 2018.

  1. stef1777

    stef1777 Member

    Joined:
    Jan 31, 2010
    Messages:
    178
    Likes Received:
    8
    HP and Dell have removed their BIOS updates.
     
  2. Symbol

    Symbol Member
    Proxmox Subscriber

    Joined:
    Mar 1, 2017
    Messages:
    41
    Likes Received:
    3
    The Intel microcode update has been withdrawn because of bugs, so basically nobody can be reliably protected against Spectre today.
    In the meanwhile, Linus explained how its use was crappy, and Google is developing retpoline to mitigate Spectre instead of relying to new x86 instructions.
    So about Spectre, the situation is very confuse for now...
     
  3. Mecanik

    Mecanik Member

    Joined:
    Mar 2, 2017
    Messages:
    75
    Likes Received:
    2
    I cannot say for sure, they should be up to date since they have windows updates set to automatic. By all means, even if one VM was outdated, there is nothing you can do to fix it, I have tried everything. Only full reinstall of the OS can fix it.
     
  4. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,194
    Likes Received:
    494
    some Intel microcode updates for some platforms/cpu models have been retracted.

    the current version of Spectre mitigation in our and Ubuntu's kernel is also more than just IBRS, which Linus ranted against - there is also IBPB, other barriers, explicit register clearing, RSB stuffing. moving to retpoline is not an option for PVE at the moment because there is no supported compiler yet. in the mid- to long-term, the PVE kernels will likely move to a combination of retpoline+microcode based mitigations. if upstream decides to go with an alternative to IBRS (which is currently still being discussed), we will likely follow. in the meantime, we can only do what is currently possible.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chrone likes this.
  5. Sich

    Sich New Member

    Joined:
    Jan 8, 2018
    Messages:
    6
    Likes Received:
    0
    Can we actually deploy the intel-microcode package on Proxmox 5 without any issue ?
    For the moment I don't have install this one, but we need it for spectre...
     
  6. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,447
    Likes Received:
    386
    I suggest you get in touch with your hardware vendor and ask for a bios update. So far a lot of hardware vendors are quite busy to get this fixed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. Sich

    Sich New Member

    Joined:
    Jan 8, 2018
    Messages:
    6
    Likes Received:
    0
    Yeah but I rent my server with OVH, it's not "my" server.
     
  8. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,447
    Likes Received:
    386
    Asking OVH Support?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Sich

    Sich New Member

    Joined:
    Jan 8, 2018
    Messages:
    6
    Likes Received:
    0
    Already done, but they seem busy actually because we don't have any answer about that...

    For the moment I "wait"...
     
  10. Kmgish

    Kmgish New Member
    Proxmox Subscriber

    Joined:
    May 31, 2015
    Messages:
    25
    Likes Received:
    1
    We had a pve 4.4/ceph Jewel to pve 5.1/ceph Luminous upgrade scheduled for this week. With all that's going on regarding Meltdown/Spectre is it safe to proceed with an upgrade?
     
  11. pakradm

    pakradm New Member

    Joined:
    Oct 24, 2016
    Messages:
    13
    Likes Received:
    0
    Dear Proxmox Staff Members,

    Do you verify speedbird's reply?
    Does privileged LXC containers can dump whole proxmox server memory?

    Regards
     
  12. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,194
    Likes Received:
    494
    if a system is vulnerable to Meltdown, any user space process can dump the whole memory unless the kernel the process is running under has mitigations in place. this includes processes running in containers/namespaces, as they share a kernel with the host. KVM accelerated VMs are not vulnerable to Meltdown across the VM-hypervisor barrier, so you cannot dump the whole host memory from a process in a VM - Meltdown still affects the guest kernel though, so you can dump the whole guest memory from an unprivileged guest process in a VM.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. marotori

    marotori Member

    Joined:
    Jun 17, 2009
    Messages:
    161
    Likes Received:
    0

    Hello Martin

    I am wondering if there is any possibility of a fix for the kernel on version 3.4 ?

    I have around 20 odd 3.4 machines which are rather difficult to move across due to the number of openvz containers!

    Rob
     
  14. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    Hello all, there is already released script for checking Specte and Meltdown vulnerables - see below
    https://github.com/speed47/spectre-meltdown-checker
    Current kernels 4.4.98-10x patched only for CVE-2017-5754 (Meltdown)
    but not for
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    upload_2018-1-30_11-57-33.png
    Can someone suggest when patches for CVE-2017-5753,CVE-2017-5715 will be in proxmox kernel
     
    #174 Volodimir, Jan 30, 2018
    Last edited: Jan 30, 2018
  15. tom

    tom Proxmox Staff Member
    Staff Member

    Joined:
    Aug 29, 2006
    Messages:
    13,447
    Likes Received:
    386
    Looks like you do not run latest kernel, the script shows here:

    Code:
    CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    * Checking count of LFENCE opcodes in kernel:  YES
    > STATUS:  NOT VULNERABLE  (117 opcodes found, which is >= 70, heuristic to be improved when official patches become available)
    Latest kernel:
    pve-kernel-4.4.98-5-pve: 4.4.98-105
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. Volodimir

    Volodimir New Member

    Joined:
    Jan 10, 2018
    Messages:
    8
    Likes Received:
    0
    Yes 105 already patched against CVE-2017-5753 [bounds check bypass] aka 'Spectre Variant 1'
    and not patched CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
    upload_2018-1-30_13-10-51.png
    So can anyone suggest when planning implement patch for CVE-2017-5715
     
  17. fabian

    fabian Proxmox Staff Member
    Staff Member

    Joined:
    Jan 7, 2016
    Messages:
    3,194
    Likes Received:
    494
    the current spectre_v2 mitigation in PVE kernel requires matching microcode updates (many of which have subsequently been retracted by Intel).
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    chrone likes this.
  18. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
    Hi fabian, with spectre v2, a guest vm can read host memory.

    https://googleprojectzero.blogspot.be/2018/01/reading-privileged-memory-with-side.html
     
  19. aderumier

    aderumier Member

    Joined:
    May 14, 2013
    Messages:
    203
    Likes Received:
    18
  20. denos

    denos Member

    Joined:
    Jul 27, 2015
    Messages:
    72
    Likes Received:
    32
    I have installed the latest OpenVZ kernel on several of our remaining Proxmox 3.x hosts using the .deb packages they provide. If you're using ZFS, you'll also need to add those modules to the new kernel. I have made .debs for ZFS 0.7.5 under Proxmox 3.x that you're welcome to (PM me), if you're willing to trust a complete stranger. If you're not using ZFS, the kernel alone is probably all you need.
     
    gkovacs likes this.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice