Meltdown and Spectre Linux Kernel fixes

Do you have also updated your VM kernels? or only your HOST kernel? If your VM have "host" cpu configuration, no need to pass this option, it only needed if you have other cpu type configurated.

Hi Sebastian, thanks for your reply! Actually I have only one VM running. This has KVM64 as CPU (default) configuration. PCID is not set. The VM hosts a UCS system which has already updated their part of Linux against Meltdown.
 
If the kernel for your UCS system has backported PCID support, then it might have less of a performance impact with PCID on in proxmox.

Hi Sebastian, thanks for your reply! Actually I have only one VM running. This has KVM64 as CPU (default) configuration. PCID is not set. The VM hosts a UCS system which has already updated their part of Linux against Meltdown.
 
OK, but with Debain Jessie the kernel is
3.16.0-5-amd64 #1 SMP Debian 3.16.51-3+deb8u1 (2018-01-08) x86_64 GNU/Linux

what is here the best solution?
CPU-Type = Standard(KVM64) or "host"
 
yes.
And you need a recent kernel in your vm too (>=4.14), to have the benefit of PCID

or one which has the backport, which should be all or most of the Linux distro kernels which were updated to support KPTI/KAISER.
 
and guests with Standard Debian Stretch?
4.9.0-5-amd64 #1 SMP Debian 4.9.65-3+deb9u2 (2018-01-04) x86_64 GNU/Linux

Set CPU-type to "host" or "kvm64"?
 
You can check your server with that : <edit> I can't post external link...</edit>
It's called specte-meltdown-checker on github..

At the moment with the last kernel on Proxmox 5 (4.13.13-5) we are protected against spectre variant 1 and meltdown...
But spectre variant 2 is still open.
 

Attachments

  • Capture.PNG
    Capture.PNG
    40.6 KB · Views: 36
You can check your server with that : <edit> I can't post external link...</edit>
It's called specte-meltdown-checker on github..

At the moment with the last kernel on Proxmox 5 (4.13.13-5) we are protected against spectre variant 1 and meltdown...
But spectre variant 2 is still open.

You missed to install bios updates on your mainboard and/or install latest Intel Microcode updates (get them from https://packages.debian.org/buster/intel-microcode)
 
  • Like
Reactions: chrone
Thx, I have this package, I will make some test to see if I can install this on my production server.
This is probably useless on VM ?

There is no problem to install this package ? I loan my server with OVH.
 
Last edited:
QEMU said in their site that "Meltdown flaw does not allow a malicious guest to read the contents of hypervisor memory".
If I don't use LXC containers, can I disable KPTI to improve performance?

Ref: qemu.org/2018/01/04/spectre/
 
QEMU said in their site that "Meltdown flaw does not allow a malicious guest to read the contents of hypervisor memory".
If I don't use LXC containers, can I disable KPTI to improve performance?

Ref: qemu.org/2018/01/04/spectre/

not a good idea, because every other HOST user space code that might get exploited by an attacker or run by an otherwise unprivileged user can still dump the whole memory without KPTI.
 
not a good idea, because every other HOST user space code that might get exploited by an attacker or run by an otherwise unprivileged user can still dump the whole memory without KPTI.

Dear Fabian,

Can you explain me more? Because I don't use proxmox server for anything than virtualization & nobody(except me) can't login into server.
And another question is can privileged LXC containers also can dump whole proxmox server memory?

Thanks
 
Can you explain me more? Because I don't use proxmox server for anything than virtualization & nobody(except me) can't login into server.
And another question is can privileged LXC containers also can dump whole proxmox server memory?

First... It is never advisable to have known security issues not addressed. Although physically you might be the only one having access, not fixing those issues will leave an open door to malicious software you might install knowing or unknowingly from bad sources. So not securing the server might still be a bad idea. Except your Proxmox isn't even connected to the internet in some way but I doubt that.

Second... Well, my understanding is, that for LXC containers it is even more problematic to not fix the problem as they share the hosts kernel afaik. So if the host is vulnerable to Meltdown and Spectre attacks, so will be your LXC containers. Due to the nature of sharing the same kernel with the host, LXC containers are all but isolated.
 
So basically I applied the latest kernel updates for promox 4.4 on 2 nodes, and it was a complete mess....

Having only windows kvm instances, have tried only “host” without PCID, have also tried “kvm64” with PCID, it was of no use.

Some machines running windows server 2012 r2 either fail to run and give BSOD, either they start and it disconnects/crashes all the time.

If anyone has some suggestions or advices, I would appreciate it.
 
So basically I applied the latest kernel updates for promox 4.4 on 2 nodes, and it was a complete mess....

Having only windows kvm instances, have tried only “host” without PCID, have also tried “kvm64” with PCID, it was of no use.

Some machines running windows server 2012 r2 either fail to run and give BSOD, either they start and it disconnects/crashes all the time.

If anyone has some suggestions or advices, I would appreciate it.
Are your windows machines up-to-date? Maybe you are missing a patch?
https://support.microsoft.com/en-us...your-windows-devices-against-spectre-meltdown
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!