Meltdown and Spectre Linux Kernel fixes

Hi,

Here is a newbie question.
Are proxmox updates self-suffisant to protect against meltdown and spectre or it is necessary to install intel microcode from debian repository ?
 
PVE updates are enough to fix Meltdown. the Spectre fixes / mitigations are still in preparation, the first round will likely only support CPUs with updated microcodes, a later iteration will then have the fallback for all CPUs. check the changelogs once they are available.
 
Installed the updates from pve-enterprise with active subscription but there's no checkbox for PCID anywhere to be seen. What did I do wrong?
 
Das habe ich gar nicht mitbekommen. Gibt es einen Schalter in der Gui womit man PCID ein-/ausschalten kann?
 
Hi!

Compatibility and stability problems with mitigation codes continue and rise.

Spectre and Meltdown patches causing trouble as realistic attacks get closer
https://arstechnica.com/gadgets/201...sing-trouble-as-realistic-attacks-get-closer/

Meltdown/Spectre fixes made AWS CPUs cry, says SolarWinds
https://www.theregister.co.uk/2018/01/15/solarwinds_aws_meltdown_fix_analysis/

Meltdown-Spectre: More businesses warned off patching over stability issues
http://www.zdnet.com/article/meltdo...es-warned-off-patching-over-stability-issues/
 
  • Like
Reactions: EuroDomenii
there are new kernel versions for both 4.4 and 5.1 available:

pve-kernel (4.13.13-36) unstable; urgency=medium

* cherry-pick (partial) SPECTRE fixes for CPUs supporting IBRS/IBPB
* follow-up fixes for KPTI

pve-kernel (4.4.98-104) unstable; urgency=medium

* cherry-pick (partial) SPECTRE fixes for CPUs supporting IBRS/IBPB
* follow-up fixes for KPTI

most of the SPECTRE fixes require having a compatible CPU microcode update enabling IBRS/IBPB support.

updated pve-qemu-kvm packages which allows passing the spec-ctrl CPU flag to guest VMs are also available in pve-no-subscription (this only works for VMs with CPU type 'host' at the moment, updated qemu-server and pve-manager packages which allow setting this CPU flag for other CPU types are in the works).
 
I didn't read here Windows, so PCID has only effect with linux vm's?

you'd have to ask Microsoft to know how they implemented their Meltdown mitigation, and whether they use PCID to limit the performance impact..
 
Hi,

Any idea of when the patched kernels will leave pvetest ? 'Kinda worried to switch to pvetest on production servers...
 
Hi,

Any idea of when the patched kernels will leave pvetest ? 'Kinda worried to switch to pvetest on production servers...

the latest round of kernel updates are available up to pve-no-subscription, the Meltdown / KPTI kernels are in pve-enterprise already for a while.
 
I'm on pve-entreprise, I see the pve-manager and qemu-server upgrades.

I must have missed something but is it worth installing without installing a patched kernel ? (If new kernels leaves the pvetest/pve-no-subscription zone to a stable one soon, then I probably should wait and install all at once).
 
I'm on pve-entreprise, I see the pve-manager and qemu-server upgrades.

I must have missed something but is it worth installing without installing a patched kernel ? (If new kernels leaves the pvetest/pve-no-subscription zone to a stable one soon, then I probably should wait and install all at once).

there have been two rounds of pve-manager and qemu-server packages, so yes - the ones in pve-enterprise match the kernel and pve-qemu in pve-enterprise, the later ones match later updates. we always move packages such that they match (e.g., a pve-manager package exposing a new feature should never be available without the backend package that provides the feature).
 
load.png

Host:
4.13.13-3-pve #1 SMP PVE 4.13.13-34 (Sun, 7 Jan 2018 13:19:58 +0100) x86_64 GNU/Linux
1x Intel Xeon E3-1240v6
Supermicro X11SSL-F
16GB ECC DDR-4
Adaptec 8405 RAID Controller
2x Samsung SM863 SSD with Raid-1

only one VM:
3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux
KVM, Debian 8

After that we install again tho old kernel...
3.16.0-4-amd64 #1 SMP Debian 3.16.51-3 (2017-12-13) x86_64 GNU/Linux
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!