subject:"Re\: \[pve\-devel\] Updated qemu pkg needed for Meltdown and Spectre\?"

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-09 Thread Alexandre DERUMIER

also on ovh doc, pretty good information for each cve


https://docs.ovh.com/fr/dedicated/information-about-meltdown-spectre-vulnerability-fixes/


- Mail original -
De: "aderumier" <aderum...@odiso.com>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Mercredi 10 Janvier 2018 05:02:16
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Hi, I have found a nice wiki, updated each day with infos about with new 
patches for spectre/meltown (kernel , kvm, microcode , ...) 

https://github.com/hannob/meltdownspectre-patches 

- Mail original - 
De: "Waschbüsch IT-Services GmbH" <serv...@waschbuesch.it> 
À: "pve-devel" <pve-devel@pve.proxmox.com> 
Envoyé: Samedi 6 Janvier 2018 09:24:01 
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? 

> Am 05.01.2018 um 21:41 schrieb Fabian Grünbichler 
> <f.gruenbich...@proxmox.com>: 
> 
> On Fri, Jan 05, 2018 at 06:50:33PM +0100, Waschbüsch IT-Services GmbH wrote: 
>> 
>> AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing 
>> direct cache loads' here: 
>> 
>> https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/> 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/>> 
>> 
>> Does anyone know if the current patching efforts will differentiate between 
>> Intel and AMD x86-64 offerings? 
>> 
>> I would hate to update kernels with these patches unless my systems are 
>> indeed affected. 
>> Not because of possible performance impacts, mind, but because of stability. 
>> I just feel it in my bones this major intervention is going to introduce 
>> regressions... :-( 
> 
> the Meltdown fix (KPTI) is disabled on AMD by default (and also 
> possible to disable using a kernel parameter on all platforms). 
> 
> the (planned) Spectre fixes (Retpoline, IBRS and IBPB) are for all/most 
> platforms and vendors, some of them will likely be exposed as kernel 
> parameters, but some of them will likely only available as compile time 
> options or not tunable at all. 

Thanks! That is very good to know. 
___ 
pve-devel mailing list 
pve-devel@pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

___ 
pve-devel mailing list 
pve-devel@pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-09 Thread Alexandre DERUMIER

Hi, I have found a nice wiki, updated each day with infos about with new 
patches for spectre/meltown (kernel , kvm, microcode , ...)

https://github.com/hannob/meltdownspectre-patches

- Mail original -
De: "Waschbüsch IT-Services GmbH" <serv...@waschbuesch.it>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Samedi 6 Janvier 2018 09:24:01
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

> Am 05.01.2018 um 21:41 schrieb Fabian Grünbichler 
> <f.gruenbich...@proxmox.com>: 
> 
> On Fri, Jan 05, 2018 at 06:50:33PM +0100, Waschbüsch IT-Services GmbH wrote: 
>> 
>> AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing 
>> direct cache loads' here: 
>> 
>> https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/> 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
>> <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/>> 
>> 
>> Does anyone know if the current patching efforts will differentiate between 
>> Intel and AMD x86-64 offerings? 
>> 
>> I would hate to update kernels with these patches unless my systems are 
>> indeed affected. 
>> Not because of possible performance impacts, mind, but because of stability. 
>> I just feel it in my bones this major intervention is going to introduce 
>> regressions... :-( 
> 
> the Meltdown fix (KPTI) is disabled on AMD by default (and also 
> possible to disable using a kernel parameter on all platforms). 
> 
> the (planned) Spectre fixes (Retpoline, IBRS and IBPB) are for all/most 
> platforms and vendors, some of them will likely be exposed as kernel 
> parameters, but some of them will likely only available as compile time 
> options or not tunable at all. 

Thanks! That is very good to know. 
___ 
pve-devel mailing list 
pve-devel@pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-06 Thread Waschbüsch IT-Services GmbH


> Am 05.01.2018 um 21:41 schrieb Fabian Grünbichler 
> :
> 
> On Fri, Jan 05, 2018 at 06:50:33PM +0100, Waschbüsch IT-Services GmbH wrote:
>> 
>> AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing 
>> direct cache loads' here:
>> 
>> https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
>>  
>> > >
>> 
>> Does anyone know if the current patching efforts will differentiate between 
>> Intel and AMD x86-64 offerings?
>> 
>> I would hate to update kernels with these patches unless my systems are 
>> indeed affected.
>> Not because of possible performance impacts, mind, but because of stability.
>> I just feel it in my bones this major intervention is going to introduce 
>> regressions... :-(
> 
> the Meltdown fix (KPTI) is disabled on AMD by default (and also
> possible to disable using a kernel parameter on all platforms).
> 
> the (planned) Spectre fixes (Retpoline, IBRS and IBPB) are for all/most
> platforms and vendors, some of them will likely be exposed as kernel
> parameters, but some of them will likely only available as compile time
> options or not tunable at all.

Thanks! That is very good to know.
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-05 Thread Fabian Grünbichler

On Fri, Jan 05, 2018 at 06:50:33PM +0100, Waschbüsch IT-Services GmbH wrote:
> 
> > Am 05.01.2018 um 11:25 schrieb Fabian Grünbichler 
> > :
> > 
> > On Thu, Jan 04, 2018 at 09:08:32PM +0100, Stefan Priebe - Profihost AG 
> > wrote:
> >> 
> >> Here we go - attached is the relevant patch - extracted from the
> >> opensuse src.rpm.
> > 
> > this will most likely not be needed for some time, since a pre-requisite
> > is having microcode and kernels supporting IBRS and IBPB.
> > 
> > the microcode update is still on-going (e.g., some vendors like Lenovo,
> > Suse and RH have started releasing updates, but Intel still does not
> > have a public package yet and Debian's partial update is only in
> > unstable so far, likely taking at least a week to hit Stretch, and needs
> > non-free enabled).
> > 
> > the kernel changes have been submitted by Intel as a first draft for
> > discussion upstream.
> > 
> > the current plan is to release updated kernel packages ASAP based on 4.4
> > and 4.13 with
> > - final, tested KPTI patches (not yet available for 4.4 and 4.13!) to
> >  fix MELTDOWN for the host kernel
> > - backport / cherry-pick of KVM commit to prevent KVM guest->host
> >  SPECTRE exploit
> 
> 
> AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing 
> direct cache loads' here:
> 
> https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 
> 
> 
> Does anyone know if the current patching efforts will differentiate between 
> Intel and AMD x86-64 offerings?
> 
> I would hate to update kernels with these patches unless my systems are 
> indeed affected.
> Not because of possible performance impacts, mind, but because of stability.
> I just feel it in my bones this major intervention is going to introduce 
> regressions... :-(

the Meltdown fix (KPTI) is disabled on AMD by default (and also
possible to disable using a kernel parameter on all platforms).

the (planned) Spectre fixes (Retpoline, IBRS and IBPB) are for all/most
platforms and vendors, some of them will likely be exposed as kernel
parameters, but some of them will likely only available as compile time
options or not tunable at all.

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-05 Thread Waschbüsch IT-Services GmbH

> Am 05.01.2018 um 11:25 schrieb Fabian Grünbichler 
> :
> 
> On Thu, Jan 04, 2018 at 09:08:32PM +0100, Stefan Priebe - Profihost AG wrote:
>> 
>> Here we go - attached is the relevant patch - extracted from the
>> opensuse src.rpm.
> 
> this will most likely not be needed for some time, since a pre-requisite
> is having microcode and kernels supporting IBRS and IBPB.
> 
> the microcode update is still on-going (e.g., some vendors like Lenovo,
> Suse and RH have started releasing updates, but Intel still does not
> have a public package yet and Debian's partial update is only in
> unstable so far, likely taking at least a week to hit Stretch, and needs
> non-free enabled).
> 
> the kernel changes have been submitted by Intel as a first draft for
> discussion upstream.
> 
> the current plan is to release updated kernel packages ASAP based on 4.4
> and 4.13 with
> - final, tested KPTI patches (not yet available for 4.4 and 4.13!) to
>  fix MELTDOWN for the host kernel
> - backport / cherry-pick of KVM commit to prevent KVM guest->host
>  SPECTRE exploit

AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing 
direct cache loads' here:

https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ 

Does anyone know if the current patching efforts will differentiate between 
Intel and AMD x86-64 offerings?

I would hate to update kernels with these patches unless my systems are indeed 
affected.
Not because of possible performance impacts, mind, but because of stability.
I just feel it in my bones this major intervention is going to introduce 
regressions... :-(
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-05 Thread Fabian Grünbichler

On Thu, Jan 04, 2018 at 09:08:32PM +0100, Stefan Priebe - Profihost AG wrote:
> 
> Here we go - attached is the relevant patch - extracted from the
> opensuse src.rpm.

this will most likely not be needed for some time, since a pre-requisite
is having microcode and kernels supporting IBRS and IBPB.

the microcode update is still on-going (e.g., some vendors like Lenovo,
Suse and RH have started releasing updates, but Intel still does not
have a public package yet and Debian's partial update is only in
unstable so far, likely taking at least a week to hit Stretch, and needs
non-free enabled).

the kernel changes have been submitted by Intel as a first draft for
discussion upstream.

the current plan is to release updated kernel packages ASAP based on 4.4
and 4.13 with
- final, tested KPTI patches (not yet available for 4.4 and 4.13!) to
  fix MELTDOWN for the host kernel
- backport / cherry-pick of KVM commit to prevent KVM guest->host
  SPECTRE exploit

it is very likely that the the following changes will have to wait for
later follow-up updates:
- (more) final version of kernel IBRS/IBPB patches
- a variant of the Qemu patch to allow passing on IBRS/IBPB to guests
- more SPECTRE fixes
- regression fixes (based on the current feedback to KPTI in various
  stable kernel series, some level of breakage is to be expected)

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Alexandre DERUMIER

ubuntu have announced kernel patch for the 9th january (4.4 && 4.13)

https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

- Mail original -
De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag>
À: "pve-devel" <pve-devel@pve.proxmox.com>, "aderumier" <aderum...@odiso.com>
Envoyé: Jeudi 4 Janvier 2018 21:08:32
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Here we go - attached is the relevant patch - extracted from the 
opensuse src.rpm. 

Greets, 
Stefan 


Am 04.01.2018 um 19:37 schrieb Alexandre DERUMIER: 
> seem that for spectre, cpumodel=qemu64|kvm64 is ok. 
> 
> but not for the 2 others cve 
> 
> On 04/01/2018 19:13, Alexandre DERUMIER wrote: 
>> Thanks Paolo ! 
>> 
>> Do we need to update guest kernel too, if qemu use cpumodel=qemu64 ? 
>> 
>> (For example, I have some very old guests where kernel update is not 
>> possible) 
> 
> If you want to be protected against the other two CVEs (one of which is 
> "Meltdown"), yes. 
> 
> Paolo 
> 
> 
> - Mail original - 
> De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag> 
> À: "pve-devel" <pve-devel@pve.proxmox.com> 
> Envoyé: Jeudi 4 Janvier 2018 19:25:44 
> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? 
> 
> Thanks! But that means we can update the kernel on the host which makes the 
> host and vm jumping safe BUT multi user guests are still vulnerable as long 
> as there are no qemu patches even if the guest has a current kernel. 
> 
> Greets, 
> Stefan 
> 
> Excuse my typo sent from my mobile phone. 
> 
>> Am 04.01.2018 um 19:09 schrieb Alexandre DERUMIER <aderum...@odiso.com>: 
>> 
>> From Paolo bonzini on qemu-devel 
>> 
>> -- 
>> _posts/ 2018-01-04 -spectre.md | 60 
>>  
>> 1 file changed, 60 insertions(+) 
>> create mode 100644 _posts/ 2018-01-04 -spectre.md 
>> 
>> diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md 
>> new file mode 100644 
>> index 000..1be86d0 
>> --- /dev/null 
>> +++ b/_posts/ 2018-01-04 -spectre.md 
>> @@ -0,0 +1,60 @@ 
>> +--- 
>> +layout: post 
>> +title: "QEMU and the Spectre and Meltdown attacks" 
>> +date: 2018-01-04 18:00:00 + 
>> +author: Paolo Bonzini and Eduardo Habkost 
>> +categories: [meltdown, spectre, security, x86] 
>> +--- 
>> +As you probably know by now, three critical architectural flaws in CPUs 
>> have 
>> +been recently disclosed that allow user processes to read kernel or 
>> hypervisor 
>> +memory through cache side-channel attacks. These flaws, collectively 
>> +named _Meltdown_ and _Spectre_, affect in one way or another almost 
>> +all processors that perform out-of-order execution, including x86 (from 
>> +Intel and AMD), POWER, s390 and ARM processors. 
>> + 
>> +No microcode updates are required to block the _Meltdown_ attack; it is 
>> +enough to update the guest operating system to a version that separates 
>> +the user and kernel address spaces (known as _page table isolation_ for 
>> +the Linux kernel). Therefore, this post will focus on _Spectre_, and 
>> +especially on [CVE-2017-5715]( [ 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). 
>> + 
>> +Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, 
>> +requires cooperation between the processor and the operating system kernel 
>> or 
>> +hypervisor; the processor can be updated through microcode or millicode 
>> +patches to provide the required functionality. CVE-2017-5715 allows guests 
>> +to read potentially sensitive data from hypervisor memory; however, 
>> __patching 
>> +the host kernel is sufficient to block this attack__. 
>> + 
>> +On the other hand, in order to protect the guest kernel from a malicious 
>> +userspace, updates are also needed to the guest kernel and, depending on 
>> +the processor architecture, to QEMU. Just like on bare-metal, the guest 
>> +kernel will use the new functionality provided by the microcode or 
>> millicode 
>> +updates. When running under a hypervisor, processor emulation is mostly out 
>> of 
>> +QEMU's scope, so QEMU's role in the fix is small, but nevertheless 
>> important. 
>> +In the case of KVM: 
>> + 
>> +* QEMU configures the hypervisor to emulate a specific processor model. 
>>

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Stefan Priebe - Profihost AG


Here we go - attached is the relevant patch - extracted from the
opensuse src.rpm.

Greets,
Stefan


Am 04.01.2018 um 19:37 schrieb Alexandre DERUMIER:
> seem that for spectre, cpumodel=qemu64|kvm64 is ok.
> 
> but not for the 2 others cve
> 
> On 04/01/2018 19:13, Alexandre DERUMIER wrote:
>> Thanks Paolo !
>>
>> Do we need to update guest kernel too, if qemu use cpumodel=qemu64 ?
>>
>> (For example,  I have some very old guests where kernel update is not 
>> possible)
> 
> If you want to be protected against the other two CVEs (one of which is
> "Meltdown"), yes.
> 
> Paolo
> 
> 
> - Mail original -
> De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag>
> À: "pve-devel" <pve-devel@pve.proxmox.com>
> Envoyé: Jeudi 4 Janvier 2018 19:25:44
> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?
> 
> Thanks! But that means we can update the kernel on the host which makes the 
> host and vm jumping safe BUT multi user guests are still vulnerable as long 
> as there are no qemu patches even if the guest has a current kernel. 
> 
> Greets, 
> Stefan 
> 
> Excuse my typo sent from my mobile phone. 
> 
>> Am 04.01.2018 um 19:09 schrieb Alexandre DERUMIER <aderum...@odiso.com>: 
>>
>> From Paolo bonzini on qemu-devel 
>>
>> -- 
>> _posts/ 2018-01-04 -spectre.md | 60 
>>  
>> 1 file changed, 60 insertions(+) 
>> create mode 100644 _posts/ 2018-01-04 -spectre.md 
>>
>> diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md 
>> new file mode 100644 
>> index 000..1be86d0 
>> --- /dev/null 
>> +++ b/_posts/ 2018-01-04 -spectre.md 
>> @@ -0,0 +1,60 @@ 
>> +--- 
>> +layout: post 
>> +title: "QEMU and the Spectre and Meltdown attacks" 
>> +date: 2018-01-04 18:00:00 + 
>> +author: Paolo Bonzini and Eduardo Habkost 
>> +categories: [meltdown, spectre, security, x86] 
>> +--- 
>> +As you probably know by now, three critical architectural flaws in CPUs 
>> have 
>> +been recently disclosed that allow user processes to read kernel or 
>> hypervisor 
>> +memory through cache side-channel attacks. These flaws, collectively 
>> +named _Meltdown_ and _Spectre_, affect in one way or another almost 
>> +all processors that perform out-of-order execution, including x86 (from 
>> +Intel and AMD), POWER, s390 and ARM processors. 
>> + 
>> +No microcode updates are required to block the _Meltdown_ attack; it is 
>> +enough to update the guest operating system to a version that separates 
>> +the user and kernel address spaces (known as _page table isolation_ for 
>> +the Linux kernel). Therefore, this post will focus on _Spectre_, and 
>> +especially on [CVE-2017-5715]( [ 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | 
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). 
>> + 
>> +Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, 
>> +requires cooperation between the processor and the operating system kernel 
>> or 
>> +hypervisor; the processor can be updated through microcode or millicode 
>> +patches to provide the required functionality. CVE-2017-5715 allows guests 
>> +to read potentially sensitive data from hypervisor memory; however, 
>> __patching 
>> +the host kernel is sufficient to block this attack__. 
>> + 
>> +On the other hand, in order to protect the guest kernel from a malicious 
>> +userspace, updates are also needed to the guest kernel and, depending on 
>> +the processor architecture, to QEMU. Just like on bare-metal, the guest 
>> +kernel will use the new functionality provided by the microcode or 
>> millicode 
>> +updates. When running under a hypervisor, processor emulation is mostly out 
>> of 
>> +QEMU's scope, so QEMU's role in the fix is small, but nevertheless 
>> important. 
>> +In the case of KVM: 
>> + 
>> +* QEMU configures the hypervisor to emulate a specific processor model. 
>> +For x86, QEMU has to be aware of new CPUID bits introduced by the microcode 
>> +update, and it must provide them to guests depending on how the guest is 
>> +configured. 
>> + 
>> +* upon virtual machine migration, QEMU reads the CPU state on the source 
>> +and transmits it to the destination. For x86, QEMU has to be aware of new 
>> +model specific registers (MSRs). 
>> + 
>> +Right now, there are no public patches to KVM that expose the new CPUID 
>> bit

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Alexandre DERUMIER

seem that for spectre, cpumodel=qemu64|kvm64 is ok.

but not for the 2 others cve

On 04/01/2018 19:13, Alexandre DERUMIER wrote:
> Thanks Paolo !
> 
> Do we need to update guest kernel too, if qemu use cpumodel=qemu64 ?
> 
> (For example,  I have some very old guests where kernel update is not 
> possible)

If you want to be protected against the other two CVEs (one of which is
"Meltdown"), yes.

Paolo


- Mail original -
De: "Stefan Priebe, Profihost AG" <s.pri...@profihost.ag>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Jeudi 4 Janvier 2018 19:25:44
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Thanks! But that means we can update the kernel on the host which makes the 
host and vm jumping safe BUT multi user guests are still vulnerable as long as 
there are no qemu patches even if the guest has a current kernel. 

Greets, 
Stefan 

Excuse my typo sent from my mobile phone. 

> Am 04.01.2018 um 19:09 schrieb Alexandre DERUMIER <aderum...@odiso.com>: 
> 
> From Paolo bonzini on qemu-devel 
> 
> -- 
> _posts/ 2018-01-04 -spectre.md | 60 
>  
> 1 file changed, 60 insertions(+) 
> create mode 100644 _posts/ 2018-01-04 -spectre.md 
> 
> diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md 
> new file mode 100644 
> index 000..1be86d0 
> --- /dev/null 
> +++ b/_posts/ 2018-01-04 -spectre.md 
> @@ -0,0 +1,60 @@ 
> +--- 
> +layout: post 
> +title: "QEMU and the Spectre and Meltdown attacks" 
> +date: 2018-01-04 18:00:00 + 
> +author: Paolo Bonzini and Eduardo Habkost 
> +categories: [meltdown, spectre, security, x86] 
> +--- 
> +As you probably know by now, three critical architectural flaws in CPUs have 
> +been recently disclosed that allow user processes to read kernel or 
> hypervisor 
> +memory through cache side-channel attacks. These flaws, collectively 
> +named _Meltdown_ and _Spectre_, affect in one way or another almost 
> +all processors that perform out-of-order execution, including x86 (from 
> +Intel and AMD), POWER, s390 and ARM processors. 
> + 
> +No microcode updates are required to block the _Meltdown_ attack; it is 
> +enough to update the guest operating system to a version that separates 
> +the user and kernel address spaces (known as _page table isolation_ for 
> +the Linux kernel). Therefore, this post will focus on _Spectre_, and 
> +especially on [CVE-2017-5715]( [ 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | 
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). 
> + 
> +Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, 
> +requires cooperation between the processor and the operating system kernel 
> or 
> +hypervisor; the processor can be updated through microcode or millicode 
> +patches to provide the required functionality. CVE-2017-5715 allows guests 
> +to read potentially sensitive data from hypervisor memory; however, 
> __patching 
> +the host kernel is sufficient to block this attack__. 
> + 
> +On the other hand, in order to protect the guest kernel from a malicious 
> +userspace, updates are also needed to the guest kernel and, depending on 
> +the processor architecture, to QEMU. Just like on bare-metal, the guest 
> +kernel will use the new functionality provided by the microcode or millicode 
> +updates. When running under a hypervisor, processor emulation is mostly out 
> of 
> +QEMU's scope, so QEMU's role in the fix is small, but nevertheless 
> important. 
> +In the case of KVM: 
> + 
> +* QEMU configures the hypervisor to emulate a specific processor model. 
> +For x86, QEMU has to be aware of new CPUID bits introduced by the microcode 
> +update, and it must provide them to guests depending on how the guest is 
> +configured. 
> + 
> +* upon virtual machine migration, QEMU reads the CPU state on the source 
> +and transmits it to the destination. For x86, QEMU has to be aware of new 
> +model specific registers (MSRs). 
> + 
> +Right now, there are no public patches to KVM that expose the new CPUID bits 
> +and MSRs to the virtual machines, therefore there is no urgent need to 
> update 
> +QEMU; remember that __updating the host kernel is enough to protect the 
> +host from malicious guests__. Nevertheless, updates will be posted to the 
> +qemu-devel mailing list in the next few days, and a 2.11.1 patch release 
> +will be released with the fix. 
> + 
> +As of today, the QEMU project is not aware of whether similar changes will 
> +be required for non-x86 processors. If so, they will also posted to the 
> +mailing list and backported to recent stable releases. 
> + 
> +

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Stefan Priebe - Profihost AG

2.14.3
> 
> Alexandre Derumier 
> Ingénieur système et stockage 
> 
> Manager Infrastructure 
> 
> 
> Fixe : +33 3 59 82 20 10 
> 
> 
> 
> 125 Avenue de la république 
> 59110 La Madeleine 
> [ https://twitter.com/OdisoHosting ] [ https://twitter.com/mindbaz ] [ 
> https://www.linkedin.com/company/odiso ] [ 
> https://www.viadeo.com/fr/company/odiso ] [ 
> https://www.facebook.com/monsiteestlent ] 
> 
> [ https://www.monsiteestlent.com/ | MonSiteEstLent.com ] - Blog dédié à la 
> webperformance et la gestion de pics de trafic
> 
> - Mail original -
> De: "Fabian Grünbichler" <f.gruenbich...@proxmox.com>
> À: "pve-devel" <pve-devel@pve.proxmox.com>
> Envoyé: Jeudi 4 Janvier 2018 09:50:04
> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?
> 
>> On Thu, Jan 04, 2018 at 07:17:54AM +0100, Stefan Priebe - Profihost AG 
>> wrote: 
>> Hello, 
>> 
>> as far as i can see at least SuSE updated qemu for Meltdown and Spectre 
>> to provide CPUID information to the guest. 
>> 
>> I think we need to patch qemu as well asap? Has anybody found the 
>> relevant patches? 
>> 
>> https://www.pro-linux.de/sicherheit/2/41859/preisgabe-von-informationen-in-qemu.html
>>  
>> 
>> Greets, 
>> Stefan 
> 
> there seem to be no public (qemu) patches yet, once there are, we will 
> review and include them. 
> 
> ___ 
> pve-devel mailing list 
> pve-devel@pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> ___
> pve-devel mailing list
> pve-devel@pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Alexandre DERUMIER

From Paolo bonzini on qemu-devel

-- 
_posts/ 2018-01-04 -spectre.md | 60 
 
1 file changed, 60 insertions(+) 
create mode 100644 _posts/ 2018-01-04 -spectre.md 

diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md 
new file mode 100644 
index 000..1be86d0 
--- /dev/null 
+++ b/_posts/ 2018-01-04 -spectre.md 
@@ -0,0 +1,60 @@ 
+--- 
+layout: post 
+title: "QEMU and the Spectre and Meltdown attacks" 
+date: 2018-01-04 18:00:00 + 
+author: Paolo Bonzini and Eduardo Habkost 
+categories: [meltdown, spectre, security, x86] 
+--- 
+As you probably know by now, three critical architectural flaws in CPUs have 
+been recently disclosed that allow user processes to read kernel or hypervisor 
+memory through cache side-channel attacks. These flaws, collectively 
+named _Meltdown_ and _Spectre_, affect in one way or another almost 
+all processors that perform out-of-order execution, including x86 (from 
+Intel and AMD), POWER, s390 and ARM processors. 
+ 
+No microcode updates are required to block the _Meltdown_ attack; it is 
+enough to update the guest operating system to a version that separates 
+the user and kernel address spaces (known as _page table isolation_ for 
+the Linux kernel). Therefore, this post will focus on _Spectre_, and 
+especially on [CVE-2017-5715]( [ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). 
+ 
+Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, 
+requires cooperation between the processor and the operating system kernel or 
+hypervisor; the processor can be updated through microcode or millicode 
+patches to provide the required functionality. CVE-2017-5715 allows guests 
+to read potentially sensitive data from hypervisor memory; however, __patching 
+the host kernel is sufficient to block this attack__. 
+ 
+On the other hand, in order to protect the guest kernel from a malicious 
+userspace, updates are also needed to the guest kernel and, depending on 
+the processor architecture, to QEMU. Just like on bare-metal, the guest 
+kernel will use the new functionality provided by the microcode or millicode 
+updates. When running under a hypervisor, processor emulation is mostly out of 
+QEMU's scope, so QEMU's role in the fix is small, but nevertheless important. 
+In the case of KVM: 
+ 
+* QEMU configures the hypervisor to emulate a specific processor model. 
+For x86, QEMU has to be aware of new CPUID bits introduced by the microcode 
+update, and it must provide them to guests depending on how the guest is 
+configured. 
+ 
+* upon virtual machine migration, QEMU reads the CPU state on the source 
+and transmits it to the destination. For x86, QEMU has to be aware of new 
+model specific registers (MSRs). 
+ 
+Right now, there are no public patches to KVM that expose the new CPUID bits 
+and MSRs to the virtual machines, therefore there is no urgent need to update 
+QEMU; remember that __updating the host kernel is enough to protect the 
+host from malicious guests__. Nevertheless, updates will be posted to the 
+qemu-devel mailing list in the next few days, and a 2.11.1 patch release 
+will be released with the fix. 
+ 
+As of today, the QEMU project is not aware of whether similar changes will 
+be required for non-x86 processors. If so, they will also posted to the 
+mailing list and backported to recent stable releases. 
+ 
+For more information on the vulnerabilities, please refer to the [Google 
Security 
+Blog]( [ 
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
 | 
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
 ] ) 
+and [Google Project 
+Zero]( [ 
https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html
 | 
https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html
 ] ) 
+posts on the topic, as well as the [Spectre and Meltdown FAQ]( [ 
https://meltdownattack.com/#faq | https://meltdownattack.com/#faq ] ). 
-- 
2.14.3

Alexandre Derumier 
Ingénieur système et stockage 

Manager Infrastructure 


Fixe : +33 3 59 82 20 10 



125 Avenue de la république 
59110 La Madeleine 
[ https://twitter.com/OdisoHosting ] [ https://twitter.com/mindbaz ] [ 
https://www.linkedin.com/company/odiso ] [ 
https://www.viadeo.com/fr/company/odiso ] [ 
https://www.facebook.com/monsiteestlent ] 

[ https://www.monsiteestlent.com/ | MonSiteEstLent.com ] - Blog dédié à la 
webperformance et la gestion de pics de trafic

- Mail original -
De: "Fabian Grünbichler" <f.gruenbich...@proxmox.com>
À: "pve-devel" <pve-devel@pve.proxmox.com>
Envoyé: Jeudi 4 Janvier 2018 09:50:04
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

On Thu, Jan 04, 2018 at 07:17:54AM +0100, Stefan Priebe - Profihost AG wrote: 
> Hello, 
&

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

2018-01-04 Thread Fabian Grünbichler

On Thu, Jan 04, 2018 at 07:17:54AM +0100, Stefan Priebe - Profihost AG wrote:
> Hello,
> 
> as far as i can see at least SuSE updated qemu for Meltdown and Spectre
> to provide CPUID information to the guest.
> 
> I think we need to patch qemu as well asap? Has anybody found the
> relevant patches?
> 
> https://www.pro-linux.de/sicherheit/2/41859/preisgabe-von-informationen-in-qemu.html
> 
> Greets,
> Stefan

there seem to be no public (qemu) patches yet, once there are, we will
review and include them.

___
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

12 matches

Site Navigation

Mail list logo

Footer information