Mailinglist Archive: opensuse-virtual (17 mails)

< Previous Next >
Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
  • From: Tony Su <tonysu@xxxxxxxxxxxxxxxxx>
  • Date: Sun, 14 Apr 2019 21:28:18 -0700
  • Message-id: <CACNuKqT=kFrRmzX0cZ8dY0iewMmnebj73mBDzAztP--BtrQ-ag@mail.gmail.com>
IMO
You first need to provide source for your spectre-meltdown checker,
like any app of this type it's important to understand how it works
and its limitations, possibly leading to false positives or
ineffectiveness.

Personally, I prefer the following It was one of the first tools
available and the author seems to be reasonably conscientious about
keeping his tool up to date.. It also doesn't hurt that it's open
source and he describes what his tool does.

https://github.com/speed47/spectre-meltdown-checker

As for Spectre and Meltdown specifically...
It's my understanding that openSUSE installs microcode patches during
every bootup including Spectre and Meltdown mitigations. I don't know
if simply booting an updated machine is sufficient to address the
specific vulnerability you want to patch but in part that is what the
vulnerability checker is supposed to tell you.

Note also that regarding Meltdown and Spectre (more importantly the
latter), the best first step to address these vulnerabilities is to be
using a CPU shipped sometime between February 2018 and today, only
those processors can be patched "properly." Once patched, it's my
understanding that Meltdown and Spectre just won't work. Any earlier
CPU cannot be properly patched, the only thing that can be done is to
mitigate by blocking attack vectors as they are discovered.

HTH and that is the best of my understanding,
Tony

On Sun, Apr 14, 2019 at 9:02 PM PGNet Dev <pgnet.dev@xxxxxxxxx> wrote:

Following along at

CVE-2018-3646 Common Vulnerabilities and Exposures
https://www.suse.com/security/cve/CVE-2018-3646/

&

Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass)
aka CVE-2018-3639.
https://www.suse.com/support/kb/doc/?id=7022937

piecing together a number of other posts, and noting


https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00073.html

An update that solves 9 vulnerabilities and has four fixes
is now available. This update for xen fixes the following
issues:

Update to Xen 4.10.2 bug fix release (bsc#1027519).
...
- CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal
Fault (XSA-273) (bsc#1091107)

which references,

Bug 1091107 - VUL-0: CVE-2018-3646: xen: L1 Terminal Fault -VMM
(XSA-273)
https://bugzilla.suse.com/show_bug.cgi?id=1091107
==> Status: RESOLVED FIXED

on

uname -rm
5.0.7-lp150.5.g012b5f1-default x86_64

lsb_release -rd
Description: openSUSE Leap 15.0
Release: 15.0

grep "model name" /proc/cpuinfo | head -n 1
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz

booting a Xen Dom0 host,

dmesg | grep -i "xen version"
[ 1.188399] Xen version: 4.12.0_09-lp150.640 (preserve-AD)


In my grub cfg,

GRUB_CMDLINE_LINUX_XEN_REPLACE="... spectre_v2=retpoline,generic
spec_store_bypass_disable=on ..."
GRUB_CMDLINE_XEN="... spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true ucode=scan ..."


Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546


after grub re-config & mkinitrd, then reboot,

per

Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546

verifying,

egrep "family|model|stepping" /proc/cpuinfo -m 4
cpu family : 6
model : 60
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
stepping : 3

in hex,

[cpu family]-[model]-[stepping] === 06-3C-03

rpm -qa | grep -i ucode-intel
ucode-intel-20190312-lp150.3.1.x86_64

rpm -ql ucode-intel | grep -i 06-3C-03
/lib/firmware/intel-ucode/06-3c-03

lsinitrd /boot/initrd-5.0.7-lp150.5.g012b5f1-default
Image: /boot/initrd-5.0.7-lp150.5.g012b5f1-default: 18M

========================================================================
Early CPIO image

========================================================================
drwxr-xr-x 3 root root 0 Apr 14 20:15 .
-rw-r--r-- 1 root root 2 Apr 14 20:15
early_cpio
drwxr-xr-x 3 root root 0 Apr 14 20:15 kernel
drwxr-xr-x 3 root root 0 Apr 14 20:15
kernel/x86
drwxr-xr-x 2 root root 0 Apr 14 20:15
kernel/x86/microcode
-rw-r--r-- 1 root root 23552 Apr 14 20:15
kernel/x86/microcode/GenuineIntel.bin

========================================================================
Version: dracut-044-lp150.14.27.1

grep -m1 microcode /proc/cpuinfo
microcode : 0x25


in serial log

(XEN) [00000027c847dc37] Xen version 4.12.0_09-lp150.640
(abuild@xxxxxxx) (gcc (SUSE Linux) 8.3.1 20190305 [gcc-8-branch revi
sion 269383]) debug=n Thu Apr 11 22:29:39 UTC 2019
(XEN) [00000027cb3e1267] Latest ChangeSet:
(XEN) [00000027cbff3231] Bootloader: EFI
(XEN) [00000027ccb72e3d] Command line: dom0_mem=4016M,max:4096M
bootscrub=false dom0_max_vcpus=4 spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true com1=115200,8n1,pci console=com1,vga
console_timestamps console_to_ring conring_size=64 sched=credit2 reboot=acpi
ucode=scan log_buf_len=16M loglvl=warning guest_loglvl=none/warning
noreboot=false iommu=verbose
...
(XEN) [00000028c099c50b] Speculative mitigation facilities:
(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP
L1D_FLUSH SSBD
(XEN) [00000028c2f57689] Compiled-in support: INDIRECT_THUNK
SHADOW_PAGING
(XEN) [00000028c445abaf] Xen settings: BTI-Thunk RETPOLINE,
SPEC_CTRL: IBRS- SSBD+, Other: IBPB L1D_FLUSH
(XEN) [00000028c61da08b] L1TF: believed vulnerable, maxphysaddr L1D
46, CPUID 39, Safe address 8000000000
(XEN) [00000028c7f67494] Support for HVM VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028c94630dc] Support for PV VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028ca92b21c] XPTI (64-bit PV only): Dom0 enabled, DomU
enabled (with PCID)
(XEN) [00000028cc1cfa07] PV L1TF shadowing: Dom0 enabled, DomU
enabled

then,

cd /sys/devices/system/cpu/vulnerabilities/
for f in $(ls); do echo -e "\n$f"; cat $f; done

l1tf
Mitigation: PTE Inversion

meltdown
Unknown (XEN PV detected, hypervisor mitigation required)

spec_store_bypass
Mitigation: Speculative Store Bypass disabled

spectre_v1
Mitigation: __user pointer sanitization

spectre_v2
Mitigation: Full generic retpoline, IBPB: conditional,
IBRS_FW, STIBP: conditional, RSB filling


BUT, checking with

spectre-meltdown-checker.sh

still returns "STATUS: VULNERABLE",

...
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface:
* This system is a host running an hypervisor: YES
* Mitigation 1 (KVM)
* EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in
kernel image)
* L1D flush enabled: UNKNOWN (unrecognized mode)
* Hardware-backed L1D flush supported: NO (flush will be done in
software, this is slower)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: VULNERABLE (disable EPT or enabled L1D flushing to
mitigate the vulnerability)
...


Since I'm on Xen, 'Mitigation 1' isn't an option.

Two things catch my attention:

(1) L1D flush enabled: UNKNOWN (unrecognized mode)

Not sure yet why I'm seeing UNKNOWN here,

&

(2) Hardware-backed L1D flush supported: NO

even though

(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP
L1D_FLUSH SSBD

^^^^^^^^^

What's missing in my config to mitigate/remove the CVE-2018-3646
vulnerability?

--
To unsubscribe, e-mail: opensuse-virtual+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-virtual+owner@xxxxxxxxxxxx

--
To unsubscribe, e-mail: opensuse-virtual+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-virtual+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
References