On Tue, 2019-04-16 at 11:41 -0700, Tony Su wrote:
After re-evaluating the various Spectre vulnerabilities mainly using the meltdown-spectre checker script as my initial guide, there appears to be a variety of somewhat different vulnerabilities of which L1TF is not the only one affecting virtualization but very significant.
Well, absolutely. And I never intended to say it was... only that is one of the most relevant to virtualization, and that it is still partially unresolved (without disabling hyperthreading, of course). E.g., this is about Spectre-&-Meltdown on virtualization, and L1TF isn't even mentioned (as it hasn't even been discovered, when that page was written :-D): https://www.suse.com/support/kb/doc/?id=7022514
Because each vulnerability is so different, it should not be assumed that there is any silver bullet that can address all vulnerabilities, each vulnerability has to be addressed individually and again... the meltdown-spectre checker script is a good place to start since the github page summarizes each vulnerability and required mitigations.
It's a great project, I agree. It's got its issues, but that's the case for all pieces of software out there.
So, for instance I may be incorrect but it looks like retpoline has nothing to do with the L1TF vulnerability.
Not at all, no.
I find the SUSE kb pages for these vulnerabilities and recommended mitigations extremely hard to read due to formatting, and it may not be clear in some text whether a list of settings are simply options or defaults.
Mmm... yes, maybe what the default setting is, is something that could be missing in there. However, bear in mind that the default could be "dynamically figure out the best mitigation strategy", e.g., basing on what kind of hardware you're running on. Therefore, even if you know what the default is, and you didn't touch anything, it's always worth checking what was picked as a solution.
Compare for instance the SUSE CVE-2018-3639 page with the roughly corresponding Linux.org page which looks to me extensive and likely more complete, better describing the EPT and hyperthreading options. The linux.org page leads by describing each affected component and settings, and ends with numerous mitigation options and their effectiveness.
https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html
Wait... if we're back talking about L1TF, the SUSE pages about it are these: https://www.suse.com/support/kb/doc/?id=7023077 https://www.suse.com/support/kb/doc/?id=7023078 not the one liked above. And, if we want to be fair, the scope, the goal and the target audience, between those SUSE docs and kernel.org doc, are rather different. But yeah, I guess we could have done better... We have in the works some kind of more complete piece of documentation, that can act as a single point of reference for the issue. I'll post the link on this list when it's finished and released (it may take a little).
Only remaining question is whether an openSUSE install and updates should automatically install recommended mitigations by default depending on whether it's detected to be running on bare metal or virtualized, and then the User option should then be to disable mitigations.
Linux kernel does that already, so it's like that for any distro, basically. What a distribution can do is change this default behavior, if wanted, and SUSE and openSUSE do that (in order to make things properly and really secure on SkyLake and later Intel hardware, against Spectre-v2). Basically, if you don't touch the default settings (and if you also took care of the hardware side, by updating BIOS/microcode), you're secure. If you want to disable (or change the strategy in use) some, you need to act, e.g., on the kernel and/or hypervisor boot command line. Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)