This blog entry is intended as a follow-up to the original entry in
January regarding Spectre/Meltdown and the proposed changes to address
them in the upcoming 2.11.1 release.

This entry is meant to accompany the 2.11.1 release (planned for
2018-02-14) and document how to make use of the new options for
various architectures.

Cc: Eduardo Habkost <ehabk...@redhat.com>
Cc: Paolo Bonzini <pbonz...@redhat.com>
Cc: Peter Maydell <peter.mayd...@linaro.org>
Cc: Suraj Jitindar Singh <sjitindarsi...@gmail.com>
Cc: David Gibson <da...@gibson.dropbear.id.au>
Cc: Christian Borntraeger <borntrae...@de.ibm.com>
Cc: Cornelia Huck <coh...@redhat.com>
Cc: Thomas Huth <th...@redhat.com>
Cc: Bruce Rogers <brog...@suse.com>
Cc: Daniel P. Berrangé <berra...@redhat.com>
Cc: David Hildenbrand <da...@redhat.com>
Signed-off-by: Michael Roth <mdr...@linux.vnet.ibm.com>
---
v2:
 * s/by itself that/by itself for that/ (Bruce)
 * make example formats more consistent (Bruce)
 * clarify wording WRT to host-side security (Daniel, Paolo)
 * general wording/formatting fix-ups (Thomas)
 * s/options/feature bits/ (Cornelia)
 * clarify s390x CPU feature defaults (Thomas/Cornelia/Christian/David)
 * clarify s390x migration compatibility statement (Cornelia)

Thank you for the review!

 .../2018-02-14-qemu-2-11-1-and-spectre-update.md   | 190 +++++++++++++++++++++
 1 file changed, 190 insertions(+)
 create mode 100644 _posts/2018-02-14-qemu-2-11-1-and-spectre-update.md

diff --git a/_posts/2018-02-14-qemu-2-11-1-and-spectre-update.md 
b/_posts/2018-02-14-qemu-2-11-1-and-spectre-update.md
new file mode 100644
index 0000000..9ddf74f
--- /dev/null
+++ b/_posts/2018-02-14-qemu-2-11-1-and-spectre-update.md
@@ -0,0 +1,190 @@
+---
+layout: post
+title:  "QEMU 2.11.1 and making use of Spectre/Meltdown mitigation for KVM 
guests"
+date: 2018-02-14 10:35:44 -0600
+author: Michael Roth
+categories: [meltdown, spectre, security, x86, ppc, s390, releases, 'qemu 
2.11']
+---
+
+A [previous post](https://www.qemu.org/2018/01/04/spectre/) detailed how
+QEMU/KVM might be affected by Spectre/Meltdown attacks, and what the plan
+was to mitigate them in QEMU 2.11.1 (and eventually QEMU 2.12).
+
+QEMU 2.11.1 is now available, and contains the aforementioned mitigation
+functionality for x86 guests, along with additional mitigation functionality
+for pseries and s390x guests (ARM guests do not currently require additional
+QEMU patches).  However, enabling this functionality requires additional
+configuration beyond just updating QEMU, which we want to address with this
+post.
+
+Please note that QEMU/KVM has at least the same requirements as other
+unprivileged processes running on the host with regard to Spectre/Meltdown
+mitigation. What is being addressed here is enabling a guest operating system
+to enable the same (or similar) mitigations to protect itself from
+unprivileged guest processes running under the guest operating system. Thus,
+the patches/requirements listed here are specific to that goal and should not
+be regarded as the full set of requirements to enable mitigations on the host
+side (though in some cases there is some overlap between the two with regard
+to required patches/etc).
+
+Also please note that this is a best-effort from the QEMU/KVM community, and
+these mitigations rely on a mix of additional kernel/firmware/microcode
+updates that are in some cases not yet available publicly, or may not yet be
+implemented in some distros, so users are highly encouraged to consult with
+their respective vendors/distros to confirm whether all the required
+components are in place. We do our best to highlight the requirements here,
+but this may not be an exhaustive list.
+
+
+## Enabling mitigation features for x86 KVM guests
+
+For x86 guests there are 2 additional CPU flags associated with
+Spectre/Meltdown mitigation: **spec-ctrl**, and **ibpb**:
+
+* spec-ctrl: exposes Indirect Branch Restricted Speculation (IBRS)
+* ibpb: exposes Indirect Branch Prediction Barriers
+
+These flags expose additional functionality made available through new
+microcode updates for certain Intel/AMD processors that can be used to
+mitigate various attack vectors related to Spectre. (Meltdown mitigation
+via KPTI does not require additional CPU functionality or microcode, and
+does not require an updated QEMU, only the related guest/host kernel
+patches).
+
+Utilizing this functionality requires guest/host kernel updates, as well
+as microcode updates for Intel and recent AMD processors. The status of
+these kernel patches upstream is still in flux, but most supported
+distros have some form of the patches that is sufficient to make use
+of the functionality. The current status/availability of microcode updates
+depends on your CPU architecture/model. Please check with your
+vendor/distro to confirm these prerequisites are available/installed.
+
+Generally, for Intel CPUs with updated microcode, **spec-ctrl** will
+enable both IBRS and IBPB functionality. For AMD EPYC processors,
+**ibpb** can be used to enable IBPB specifically, and is thought to
+be sufficient by itself for that particular architecture.
+
+These flags can be set in a similar manner as other CPU flags, i.e.:
+
+    qemu-system-x86_64 -cpu qemu64,+spec-ctrl,... ...
+    qemu-system-x86_64 -cpu IvyBridge,+spec-ctrl,... ...
+    qemu-system-x86_64 -cpu EPYC,+ibpb,... ...
+    etc...
+
+Additionally, for management stacks that lack support for setting
+specific CPU flags, a set of new CPU types have been added which
+enable the appropriate CPU flags automatically:
+
+    qemu-system-x86_64 -cpu Nehalem-IBRS ...
+    qemu-system-x86_64 -cpu Westmere-IBRS ...
+    qemu-system-x86_64 -cpu SandyBridge-IBRS ...
+    qemu-system-x86_64 -cpu IvyBridge-IBRS ...
+    qemu-system-x86_64 -cpu Haswell-IBRS ...
+    qemu-system-x86_64 -cpu Haswell-noTSX-IBRS ...
+    qemu-system-x86_64 -cpu Broadwell-IBRS ...
+    qemu-system-x86_64 -cpu Broadwell-noTSX-IBRS ...
+    qemu-system-x86_64 -cpu Skylake-Client-IBRS ...
+    qemu-system-x86_64 -cpu Skylake-Server-IBRS ...
+    qemu-system-x86_64 -cpu EPYC-IBPB ...
+
+With these settings enabled, guests may still require additional
+configuration to enable IBRS/IBPB, which may vary somewhat from one
+distro to another. For RHEL guests, the following resource may be
+useful:
+
+* https://access.redhat.com/articles/3311301
+
+With regard to migration compatibility, **spec-ctrl**/**ibrs** (or the
+corresponding CPU type) should be set the same on both source/target to
+maintain compatibility. Thus, guests will need to be rebooted to make
+use of the new features.
+
+
+## Enabling mitigation features for pseries KVM guests
+
+For pseries guests there are 3 tri-state -machine options/capabilities
+relating to Spectre/Meltdown mitigation: **cap-cfpc**, **cap-sbbc**,
+**cap-ibs**, which each correspond to a set of host machine capabilities
+advertised by the KVM kernel module in new/patched host kernels that can
+be used to mitigate various aspects of Spectre/Meltdown:
+
+* cap-cfpc: Cache Flush on Privilege Change
+* cap-sbbc: Speculation Barrier Bounds Checking
+* cap-ibs: Indirect Branch Serialisation
+
+Each option can be set to one of "broken", "workaround", or "fixed", which
+correspond, respectively, to instructing the guest whether the host is
+vulnerable, has OS-level workarounds available, or has hardware/firmware
+that does not require OS-level workarounds. Based on these options, QEMU
+will perform checks to validate whether the specified settings are available
+on the current host and pass these settings on to the guest kernel. At a
+minimum, any setting other than "broken" will require a host kernel that has
+some form of the following patches:
+
+    commit 3214d01f139b7544e870fc0b7fcce8da13c1cb51
+    KVM: PPC: Book3S: Provide information about hardware/firmware CVE 
workarounds
+  
+    commit 191eccb1580939fb0d47deb405b82a85b0379070
+    powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper
+
+and whether a host will support "workaround" and "fixed" settings for each
+option will depend on the hardware/firmware level of the host system.
+
+In turn, to make use of "workaround" or "fixed" settings for each option,
+the guest kernel will require at least the following set of patches:
+
+* https://lists.ozlabs.org/pipermail/linuxppc-dev/2018-January/167455.html
+
+These are available upstream and have been backported to a number of stable
+kernels. Please check with your vendor/distro to confirm the required
+hardware/firmware and guest kernel patches are available/installed.
+
+All three options, **cap-cfpc**, **cap-sbbc**, and **cap-ibs** default
+to "broken" to maintain compatibility with previous versions of QEMU
+and unpatched host kernels. To enable them you must start QEMU with the
+desired mitigation strategy specified explicitly. For example:
+
+    qemu-system-ppc64 ... \
+      -machine 
pseries-2.11,cap-cfpc=workaround,cap-sbbc=workaround,cap-ibs=fixed
+
+With regard to migration compatibility, setting any of these features to a
+value other than "broken" will require an identical setting for that option on
+the source/destination guest. To enable these settings your guests will need to
+be rebooted at some point.
+
+
+## Enabling mitigation features for s390x KVM guests
+
+For s390x guests there are 2 CPU feature bits relating to Spectre/Meltdown:
+
+* bpb: Branch prediction blocking
+* ppa15: PPA15 is installed
+
+**bpb** requires a host kernel patched with:
+
+    commit 35b3fde6203b932b2b1a5b53b3d8808abc9c4f60
+    KVM: s390: wire up bpb feature
+
+and both **bpb** and **ppa15** require a firmware with the appropriate support
+level as well as guest kernel patches to enable the functionality within
+guests. Please check with your distro/vendor to confirm.
+
+Both **bpb** and **ppa15** are enabled by default with newer/patched host
+kernels, and can also be set manually. For example:
+
+    qemu-system-s390x -M s390-ccw-virtio-2.11 ... \
+      -cpu zEC12,bpb=on,ppa15=on 
+
+Both **bpb** and **ppa15** are enabled by default when using "-cpu host"
+and when the host kernels supports these facilities. For other CPU
+models, the flags have to be set manually. For example:
+
+    qemu-system-s390x -M s390-ccw-virtio-2.11 ... \
+      -cpu zEC12,bpb=on,ppa15=on
+
+With regard to migration, enabling **bpb** or **ppa15** feature flags requires
+that the source/target also those flags enabled. Since this is enabled by
+default for '-cpu host' (when available on the host), you must ensure that
+**bpb**=off,**ppa15**=off is used if you wish to maintain migration
+compatibility with existing guests when using '-cpu host', or take steps to
+reboot guests with **bpb**/**ppa15** enabled prior to migration.
-- 
2.11.0


Reply via email to