Following along at
CVE-2018-3646 Common Vulnerabilities and Exposures
https://www.suse.com/security/cve/CVE-2018-3646/
&
Security Vulnerability: Spectre Variant 4 (Speculative Store Bypass)
aka CVE-2018-3639.
https://www.suse.com/support/kb/doc/?id=7022937
piecing together a number of other posts, and noting
https://lists.opensuse.org/opensuse-security-announce/2018-12/msg00073.html
An update that solves 9 vulnerabilities and has four fixes
is now available. This update for xen fixes the following
issues:
Update to Xen 4.10.2 bug fix release (bsc#1027519).
...
- CVE-2018-3646: Mitigations for VMM aspects of L1 Terminal
Fault (XSA-273) (bsc#1091107)
which references,
Bug 1091107 - VUL-0: CVE-2018-3646: xen: L1 Terminal Fault -VMM
(XSA-273)
https://bugzilla.suse.com/show_bug.cgi?id=1091107
==> Status: RESOLVED FIXED
on
uname -rm
5.0.7-lp150.5.g012b5f1-default x86_64
lsb_release -rd
Description: openSUSE Leap 15.0
Release: 15.0
grep "model name" /proc/cpuinfo | head -n 1
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
booting a Xen Dom0 host,
dmesg | grep -i "xen version"
[ 1.188399] Xen version: 4.12.0_09-lp150.640 (preserve-AD)
In my grub cfg,
GRUB_CMDLINE_LINUX_XEN_REPLACE="... spectre_v2=retpoline,generic
spec_store_bypass_disable=on ..."
GRUB_CMDLINE_XEN="... spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true ucode=scan ..."
Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546
after grub re-config & mkinitrd, then reboot,
per
Updating microcode in Xen environments
https://www.suse.com/support/kb/doc/?id=7022546
verifying,
egrep "family|model|stepping" /proc/cpuinfo -m 4
cpu family : 6
model : 60
model name : Intel(R) Xeon(R) CPU E3-1220 v3 @ 3.10GHz
stepping : 3
in hex,
[cpu family]-[model]-[stepping] === 06-3C-03
rpm -qa | grep -i ucode-intel
ucode-intel-20190312-lp150.3.1.x86_64
rpm -ql ucode-intel | grep -i 06-3C-03
/lib/firmware/intel-ucode/06-3c-03
lsinitrd /boot/initrd-5.0.7-lp150.5.g012b5f1-default
Image: /boot/initrd-5.0.7-lp150.5.g012b5f1-default: 18M
========================================================================
Early CPIO image
========================================================================
drwxr-xr-x 3 root root 0 Apr 14 20:15 .
-rw-r--r-- 1 root root 2 Apr 14 20:15
early_cpio
drwxr-xr-x 3 root root 0 Apr 14 20:15 kernel
drwxr-xr-x 3 root root 0 Apr 14 20:15
kernel/x86
drwxr-xr-x 2 root root 0 Apr 14 20:15
kernel/x86/microcode
-rw-r--r-- 1 root root 23552 Apr 14 20:15
kernel/x86/microcode/GenuineIntel.bin
========================================================================
Version: dracut-044-lp150.14.27.1
grep -m1 microcode /proc/cpuinfo
microcode : 0x25
in serial log
(XEN) [00000027c847dc37] Xen version 4.12.0_09-lp150.640
([email protected]) (gcc (SUSE Linux) 8.3.1 20190305 [gcc-8-branch revi
sion 269383]) debug=n Thu Apr 11 22:29:39 UTC 2019
(XEN) [00000027cb3e1267] Latest ChangeSet:
(XEN) [00000027cbff3231] Bootloader: EFI
(XEN) [00000027ccb72e3d] Command line: dom0_mem=4016M,max:4096M
bootscrub=false dom0_max_vcpus=4 spec-ctrl=ssbd,l1d-flush=true
pv-l1tf=dom0=true,domu=true smt=true com1=115200,8n1,pci console=com1,vga
console_timestamps console_to_ring conring_size=64 sched=credit2 reboot=acpi
ucode=scan log_buf_len=16M loglvl=warning guest_loglvl=none/warning
noreboot=false iommu=verbose
...
(XEN) [00000028c099c50b] Speculative mitigation facilities:
(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP L1D_FLUSH
SSBD
(XEN) [00000028c2f57689] Compiled-in support: INDIRECT_THUNK
SHADOW_PAGING
(XEN) [00000028c445abaf] Xen settings: BTI-Thunk RETPOLINE,
SPEC_CTRL: IBRS- SSBD+, Other: IBPB L1D_FLUSH
(XEN) [00000028c61da08b] L1TF: believed vulnerable, maxphysaddr L1D
46, CPUID 39, Safe address 8000000000
(XEN) [00000028c7f67494] Support for HVM VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028c94630dc] Support for PV VMs: MSR_SPEC_CTRL RSB
EAGER_FPU
(XEN) [00000028ca92b21c] XPTI (64-bit PV only): Dom0 enabled, DomU
enabled (with PCID)
(XEN) [00000028cc1cfa07] PV L1TF shadowing: Dom0 enabled, DomU enabled
then,
cd /sys/devices/system/cpu/vulnerabilities/
for f in $(ls); do echo -e "\n$f"; cat $f; done
l1tf
Mitigation: PTE Inversion
meltdown
Unknown (XEN PV detected, hypervisor mitigation required)
spec_store_bypass
Mitigation: Speculative Store Bypass disabled
spectre_v1
Mitigation: __user pointer sanitization
spectre_v2
Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW,
STIBP: conditional, RSB filling
BUT, checking with
spectre-meltdown-checker.sh
still returns "STATUS: VULNERABLE",
...
CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
* Information from the /sys interface:
* This system is a host running an hypervisor: YES
* Mitigation 1 (KVM)
* EPT is disabled: N/A (the kvm_intel module is not loaded)
* Mitigation 2
* L1D flush is supported by kernel: YES (found flush_l1d in kernel
image)
* L1D flush enabled: UNKNOWN (unrecognized mode)
* Hardware-backed L1D flush supported: NO (flush will be done in
software, this is slower)
* Hyper-Threading (SMT) is enabled: YES
> STATUS: VULNERABLE (disable EPT or enabled L1D flushing to mitigate
the vulnerability)
...
Since I'm on Xen, 'Mitigation 1' isn't an option.
Two things catch my attention:
(1) L1D flush enabled: UNKNOWN (unrecognized mode)
Not sure yet why I'm seeing UNKNOWN here,
&
(2) Hardware-backed L1D flush supported: NO
even though
(XEN) [00000028c19f6e50] Hardware features: IBRS/IBPB STIBP L1D_FLUSH
SSBD
^^^^^^^^^
What's missing in my config to mitigate/remove the CVE-2018-3646 vulnerability?
--
To unsubscribe, e-mail: [email protected]
To contact the owner, e-mail: [email protected]
