Mailinglist Archive: opensuse-virtual (17 mails)

< Previous Next >
[opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
Following along at

CVE-2018-3646 Common Vulnerabilities and Exposures
https://www.suse.com/security/cve/CVE-2018-3646/

&

Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass)
aka CVE-2018-3639.
https://www.suse.com/support/kb/doc/?id=7022937

piecing together a number of other posts, and noting


https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00073.html

An update that solves 9 vulnerabilities and has four fixes
is now available. This update for xen fixes the following
issues:

Update to Xen 4.10.2 bug fix release (bsc#1027519).
...
- CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal
Fault (XSA-273) (bsc#1091107)

which references,

Bug 1091107 - VUL-0: CVE-2018-3646: xen: L1 Terminal Fault -VMM
(XSA-273)
https://bugzilla.suse.com/show_bug.cgi?id=1091107
==> Status: RESOLVED FIXED

on

uname -rm
5.0.7-lp150.5.g012b5f1-default x86_64

lsb_release -rd
Description: openSUSE Leap 15.0
Release: 15.0

grep "model name" /proc/cpuinfo | head -n 1
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz

booting a Xen Dom0 host,

dmesg | grep -i "xen version"
[ 1.188399] Xen version: 4.12.0_09-lp150.640 (preserve-AD)


In my grub cfg,

GRUB_CMDLINE_LINUX_XEN_REPLACE="... spectre_v2=retpoline,generic
spec_store_bypass_disable=on ..."
GRUB_CMDLINE_XEN="... spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true ucode=scan ..."


Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546


after grub re-config & mkinitrd, then reboot,

per

Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546

verifying,

egrep "family|model|stepping" /proc/cpuinfo -m 4
cpu family : 6
model : 60
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
stepping : 3

in hex,

[cpu family]-[model]-[stepping] === 06-3C-03

rpm -qa | grep -i ucode-intel
ucode-intel-20190312-lp150.3.1.x86_64

rpm -ql ucode-intel | grep -i 06-3C-03
/lib/firmware/intel-ucode/06-3c-03

lsinitrd /boot/initrd-5.0.7-lp150.5.g012b5f1-default
Image: /boot/initrd-5.0.7-lp150.5.g012b5f1-default: 18M

========================================================================
Early CPIO image

========================================================================
drwxr-xr-x 3 root root 0 Apr 14 20:15 .
-rw-r--r-- 1 root root 2 Apr 14 20:15
early_cpio
drwxr-xr-x 3 root root 0 Apr 14 20:15 kernel
drwxr-xr-x 3 root root 0 Apr 14 20:15
kernel/x86
drwxr-xr-x 2 root root 0 Apr 14 20:15
kernel/x86/microcode
-rw-r--r-- 1 root root 23552 Apr 14 20:15
kernel/x86/microcode/GenuineIntel.bin

========================================================================
Version: dracut-044-lp150.14.27.1

grep -m1 microcode /proc/cpuinfo
microcode : 0x25


in serial log

(XEN) [00000027c847dc37] Xen version 4.12.0_09-lp150.640
(abuild@xxxxxxx) (gcc (SUSE Linux) 8.3.1 20190305 [gcc-8-branch revi
sion 269383]) debug=n Thu Apr 11 22:29:39 UTC 2019
(XEN) [00000027cb3e1267] Latest ChangeSet:
(XEN) [00000027cbff3231] Bootloader: EFI
(XEN) [00000027ccb72e3d] Command line: dom0_mem=4016M,max:4096M
bootscrub=false dom0_max_vcpus=4 spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true com1=115200,8n1,pci console=com1,vga
console_timestamps console_to_ring conring_size=64 sched=credit2 reboot=acpi
ucode=scan log_buf_len=16M loglvl=warning guest_loglvl=none/warning
noreboot=false iommu=verbose
...
(XEN) [00000028c099c50b] Speculative mitigation facilities:
(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP L1D_FLUSH
SSBD
(XEN) [00000028c2f57689] Compiled-in support: INDIRECT_THUNK
SHADOW_PAGING
(XEN) [00000028c445abaf] Xen settings: BTI-Thunk RETPOLINE,
SPEC_CTRL: IBRS- SSBD+, Other: IBPB L1D_FLUSH
(XEN) [00000028c61da08b] L1TF: believed vulnerable, maxphysaddr L1D
46, CPUID 39, Safe address 8000000000
(XEN) [00000028c7f67494] Support for HVM VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028c94630dc] Support for PV VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028ca92b21c] XPTI (64-bit PV only): Dom0 enabled, DomU
enabled (with PCID)
(XEN) [00000028cc1cfa07] PV L1TF shadowing: Dom0 enabled, DomU enabled

then,

cd /sys/devices/system/cpu/vulnerabilities/
for f in $(ls); do echo -e "\n$f"; cat $f; done

l1tf
Mitigation: PTE Inversion

meltdown
Unknown (XEN PV detected, hypervisor mitigation required)

spec_store_bypass
Mitigation: Speculative Store Bypass disabled

spectre_v1
Mitigation: __user pointer sanitization

spectre_v2
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW,
STIBP: conditional, RSB filling


BUT, checking with

spectre-meltdown-checker.sh

still returns "STATUS: VULNERABLE",

...
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface:
* This system is a host running an hypervisor: YES
* Mitigation 1 (KVM)
* EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in kernel
image)
* L1D flush enabled: UNKNOWN (unrecognized mode)
* Hardware-backed L1D flush supported: NO (flush will be done in
software, this is slower)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: VULNERABLE (disable EPT or enabled L1D flushing to mitigate
the vulnerability)
...


Since I'm on Xen, 'Mitigation 1' isn't an option.

Two things catch my attention:

(1) L1D flush enabled: UNKNOWN (unrecognized mode)

Not sure yet why I'm seeing UNKNOWN here,

&

(2) Hardware-backed L1D flush supported: NO

even though

(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP L1D_FLUSH
SSBD
^^^^^^^^^

What's missing in my config to mitigate/remove the CVE-2018-3646 vulnerability?

--
To unsubscribe, e-mail: opensuse-virtual+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-virtual+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups