After re-evaluating the various Spectre vulnerabilities mainly using the meltdown-spectre checker script as my initial guide, there appears to be a variety of somewhat different vulnerabilities of which L1TF is not the only one affecting virtualization but very significant. Because each vulnerability is so different, it should not be assumed that there is any silver bullet that can address all vulnerabilities, each vulnerability has to be addressed individually and again... the meltdown-spectre checker script is a good place to start since the github page summarizes each vulnerability and required mitigations. So, for instance I may be incorrect but it looks like retpoline has nothing to do with the L1TF vulnerability. I find the SUSE kb pages for these vulnerabilities and recommended mitigations extremely hard to read due to formatting, and it may not be clear in some text whether a list of settings are simply options or defaults. Compare for instance the SUSE CVE-2018-3639 page with the roughly corresponding Linux.org page which looks to me extensive and likely more complete, better describing the EPT and hyperthreading options. The linux.org page leads by describing each affected component and settings, and ends with numerous mitigation options and their effectiveness. https://www.suse.com/support/kb/doc/?add=&id=7022937&title=Security+Vulnerability:+Spectre+Variant+4+(Speculative+Store+Bypass)+aka+CVE-2018-3639. https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html I haven't checked completely, but I think that the meltdown-spectre checker script reads the various /sys/ values among other things automatically and reports their values, so one doesn't have to check those values manually and individually. Only remaining question is whether an openSUSE install and updates should automatically install recommended mitigations by default depending on whether it's detected to be running on bare metal or virtualized, and then the User option should then be to disable mitigations. Tony On Mon, Apr 15, 2019 at 10:58 AM Dario Faggioli <dfaggioli@suse.com> wrote:
On Mon, 2019-04-15 at 10:12 -0700, Tony Su wrote:
Have a Q. Found the following artic which although is for a different CVS vulnerability more generally describes ways to read proc settings directly to verify mitigations installed
Was wondering whether there is an article similar to the one referenced by "@PGnet Dev" that's a good jumping off point for other virtualization, specifically KVM?
I'm not sure I have understood what you are after.
Each one of these things being --although all somewhat related-- different vulnerabilities, came out at different times, each has its own piece of documentation (or, often, more than one!).
L1TF is the one which, it can be stated, is the most related to virtualization, and SUSE docs for it is here (not sure this was liked already):
https://www.suse.com/support/kb/doc/?id=7023077
The most authoritative source of info for KVM would be, IMO, the kernel documentation: https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html
For Xen, I personally think the XSA is particularly well done: https://xenbits.xen.org/xsa/advisory-273.html
But again, I'm not sure it was things like these you were actually looking for...
Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
-- To unsubscribe, e-mail: opensuse-virtual+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-virtual+owner@opensuse.org