Mailinglist Archive: opensuse-virtual (17 mails)

< Previous Next >
Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
[Sorry for replying a little late]

On Mon, 2019-04-15 at 13:41 -0700, PGNet Dev wrote:
*Suse also enables "IBPB" by default. is that (still) correct?

Which I'd like to NOT take the purported ~20% performance hit for,
and
believe I've correctly (?) DISabled with adding:

spectre_v2=retpoline,generic

to my grub config's kernel command line

I think you're talking about IBRS. I mean, we do enable IBPB, but
that's what pretty much everyone does, I think.

In fact, on openSUSE kernel-default, Spectre-v2 is mitigated like this
(on post-SkyLake hardware):

Mitigation: Indirect Branch Restricted Speculation, IBPB: conditional,
IBRS_FW, STIBP: conditional, RSB filling

with kernel-vanilla, like this:
Mitigation: Full generic retpoline, IBPB: conditional,
IBRS_FW, STIBP: conditional, RSB filling

The impact, as said, varies, and it may not be *always* 20%. But yes,
it's non-negligible, for most workloads

Also, I *did* see a KVM host-side change (namely, an upgrade to a
fully
patched Host) that switched the reporting of Variant 3a & 4
vulnerabilities from VULNERABLE ==> NOT VULNERABLE, in the guest.

Which I believe is expected.

Yes, makes sense.

Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<<This happens because _I_ choose it to happen!>> (Raistlin Majere)

< Previous Next >
List Navigation