Mailinglist Archive: opensuse-virtual (17 mails)

< Previous Next >
Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
  • From: Tony Su <tonysu@xxxxxxxxxxxxxxxxx>
  • Date: Tue, 16 Apr 2019 11:41:48 -0700
  • Message-id: <CACNuKqTin38=agYCiyGO428u31ds7YDVxZKBEMN+kzOidagV-Q@mail.gmail.com>
After re-evaluating the various Spectre vulnerabilities mainly using
the meltdown-spectre checker script as my initial guide, there appears
to be a variety of somewhat different vulnerabilities of which L1TF is
not the only one affecting virtualization but very significant.
Because each vulnerability is so different, it should not be assumed
that there is any silver bullet that can address all vulnerabilities,
each vulnerability has to be addressed individually and again... the
meltdown-spectre checker script is a good place to start since the
github page summarizes each vulnerability and required mitigations.

So, for instance I may be incorrect but it looks like retpoline has
nothing to do with the L1TF vulnerability.

I find the SUSE kb pages for these vulnerabilities and recommended
mitigations extremely hard to read due to formatting, and it may not
be clear in some text whether a list of settings are simply options or
defaults. Compare for instance the SUSE CVE-2018-3639 page with the
roughly corresponding Linux.org page which looks to me extensive and
likely more complete, better describing the EPT and hyperthreading
options. The linux.org page leads by describing each affected
component and settings, and ends with numerous mitigation options and
their effectiveness.

https://www.suse.com/support/kb/doc/?add=&id=7022937&title=Security+Vulnerability:+Spectre+Variant+4+(Speculative+Store+Bypass)+aka+CVE-2018-3639.

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html

I haven't checked completely, but I think that the meltdown-spectre
checker script reads the various /sys/ values among other things
automatically and reports their values, so one doesn't have to check
those values manually and individually.

Only remaining question is whether an openSUSE install and updates
should automatically install recommended mitigations by default
depending on whether it's detected to be running on bare metal or
virtualized, and then the User option should then be to disable
mitigations.

Tony


On Mon, Apr 15, 2019 at 10:58 AM Dario Faggioli <dfaggioli@xxxxxxxx> wrote:

On Mon, 2019-04-15 at 10:12 -0700, Tony Su wrote:
Have a Q.
Found the following artic which although is for a different CVS
vulnerability more generally describes ways to read proc settings
directly to verify mitigations installed

https://www.suse.com/support/kb/doc/?add=&id=7022937&title=Security+Vulnerability:+Spectre+Variant+4+(Speculative+Store+Bypass)+aka+CVE-2018-3639.

Was wondering whether there is an article similar to the one
referenced by "@PGnet Dev" that's a good jumping off point for other
virtualization, specifically KVM?

I'm not sure I have understood what you are after.

Each one of these things being --although all somewhat related--
different vulnerabilities, came out at different times, each has its
own piece of documentation (or, often, more than one!).

L1TF is the one which, it can be stated, is the most related to
virtualization, and SUSE docs for it is here (not sure this was liked
already):

https://www.suse.com/support/kb/doc/?id=7023077

The most authoritative source of info for KVM would be, IMO, the kernel
documentation:
https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html

For Xen, I personally think the XSA is particularly well done:
https://xenbits.xen.org/xsa/advisory-273.html

But again, I'm not sure it was things like these you were actually
looking for...

Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)

--
To unsubscribe, e-mail: opensuse-virtual+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-virtual+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups