Mailinglist Archive: opensuse-virtual (17 mails)

< Previous Next >
Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
On Tue, 2019-04-16 at 11:41 -0700, Tony Su wrote:
After re-evaluating the various Spectre vulnerabilities mainly using
the meltdown-spectre checker script as my initial guide, there
appears
to be a variety of somewhat different vulnerabilities of which L1TF
is
not the only one affecting virtualization but very significant.

Well, absolutely. And I never intended to say it was... only that is
one of the most relevant to virtualization, and that it is still
partially unresolved (without disabling hyperthreading, of course).

E.g., this is about Spectre-&-Meltdown on virtualization, and L1TF
isn't even mentioned (as it hasn't even been discovered, when that page
was written :-D):
https://www.suse.com/support/kb/doc/?id=7022514

Because each vulnerability is so different, it should not be assumed
that there is any silver bullet that can address all vulnerabilities,
each vulnerability has to be addressed individually and again... the
meltdown-spectre checker script is a good place to start since the
github page summarizes each vulnerability and required mitigations.

It's a great project, I agree. It's got its issues, but that's the case
for all pieces of software out there.

So, for instance I may be incorrect but it looks like retpoline has
nothing to do with the L1TF vulnerability.

Not at all, no.

I find the SUSE kb pages for these vulnerabilities and recommended
mitigations extremely hard to read due to formatting, and it may not
be clear in some text whether a list of settings are simply options
or
defaults.

Mmm... yes, maybe what the default setting is, is something that could
be missing in there. However, bear in mind that the default could be
"dynamically figure out the best mitigation strategy", e.g., basing on
what kind of hardware you're running on.

Therefore, even if you know what the default is, and you didn't touch
anything, it's always worth checking what was picked as a solution.

Compare for instance the SUSE CVE-2018-3639 page with the
roughly corresponding Linux.org page which looks to me extensive and
likely more complete, better describing the EPT and hyperthreading
options. The linux.org page leads by describing each affected
component and settings, and ends with numerous mitigation options and
their effectiveness.

https://www.suse.com/support/kb/doc/?add=&id=7022937&title=Security+Vulnerability:+Spectre+Variant+4+(Speculative+Store+Bypass)+aka+CVE-2018-3639.

https://www.kernel.org/doc/html/latest/admin-guide/l1tf.html

Wait... if we're back talking about L1TF, the SUSE pages about it are
these:

https://www.suse.com/support/kb/doc/?id=7023077
https://www.suse.com/support/kb/doc/?id=7023078

not the one liked above.

And, if we want to be fair, the scope, the goal and the target
audience, between those SUSE docs and kernel.org doc, are rather
different.

But yeah, I guess we could have done better... We have in the works
some kind of more complete piece of documentation, that can act as a
single point of reference for the issue. I'll post the link on this
list when it's finished and released (it may take a little).

Only remaining question is whether an openSUSE install and updates
should automatically install recommended mitigations by default
depending on whether it's detected to be running on bare metal or
virtualized, and then the User option should then be to disable
mitigations.

Linux kernel does that already, so it's like that for any distro,
basically. What a distribution can do is change this default behavior,
if wanted, and SUSE and openSUSE do that (in order to make things
properly and really secure on SkyLake and later Intel hardware, against
Spectre-v2).

Basically, if you don't touch the default settings (and if you also
took care of the hardware side, by updating BIOS/microcode), you're
secure. If you want to disable (or change the strategy in use) some,
you need to act, e.g., on the kernel and/or hypervisor boot command
line.

Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)

< Previous Next >
List Navigation