Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?

[PGNet Dev]

On 4/15/19 9:34 AM, Dario Faggioli wrote:
> point is this:
> - exploiting L1TF, it may be possible to read the host physical RAM
>    from inside a VM. This means malicious code running inside a VM can
>    read the memory of other applications inside the same VM, of other
>    VMs and also of the hypervisor.
>    It is not entirely trivial, even without mitigations applied, but
>    it's possible, and proofs of contept do exist;
> - for Xen PV guests, if the guest has "PTE Inversion" and Xen has
>    pv-l1tf enabled, the problem is fully mitigated;
> - for Xen HVM guests or KVM guests, on system without hyperthreading
>    (or with hyperthreading properly disabled), if L1D flush is supported
>    (by hardware and hypervisor) and enabled, the problem is fully
>    mitigated;
> - for Xen HVM guests or KVM guests, on system with hypetrheading,
>    the problem can't be fully mitigated.

That's really clear.  And the 1st time I've read it all, so succinctly stated, 
in one place.

It would, IMO, be very helpful on a 'Spectre on *Suse' doc/wiki page.

atm, on this particular host, my Xen cmd line includes:

        spec-ctrl=ssbd,l1d-flush=true pv-l1tf=dom0=true,domu=true smt=true

which may, or not, be overkill/risky; still need to do some reading up on the 
relative merits.

> For KVM guests and Xen HVM guests, can you paste the full output of the
> section "CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'" ?

Don't have a Xen HVM up right at the moment.

For KVM guest (@ Linode, fwiw),

spectre-meltdown-checker.sh

        ...
        CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'
        * Information from the /sys interface:
        * This system is a host running an hypervisor:  NO
        * Mitigation 1 (KVM)
          * EPT is disabled:  N/A  (the kvm_intel module is not loaded)
        * Mitigation 2
          * L1D flush is supported by kernel:  YES  (found flush_l1d in kernel 
image)
          * L1D flush enabled:  UNKNOWN  (unrecognized mode)
          * Hardware-backed L1D flush supported:  NO  (flush will be done in 
software, this is slower)
          * Hyper-Threading (SMT) is enabled:  NO
        > STATUS:  NOT VULNERABLE  (this system is not running an hypervisor)

        > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK 
CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK 
CVE-2018-3646:OK

IIUC from your comments above, the apparently *dis*abled SMT hyperthreading 
leads, in this case, to the mitigation STATUS ==> NOT VULNERABLE

-- 
To unsubscribe, e-mail: opensuse-virtual+unsubscr...@opensuse.org
To contact the owner, e-mail: opensuse-virtual+ow...@opensuse.org