Testing Bionic:
Diff pre/post output:
virsh capabilities:
--- cap.old 2019-09-13 07:47:39.904489440 +0000
+++ cap.new 2019-09-13 07:54:17.141044569 +0000
@@ -26,6 +26,7 @@
<feature name='perfctr_core'/>
<feature name='perfctr_nb'/>
<feature name='invtsc'/>
+ <feature name='amd-ssbd'/>
<pages unit='KiB' size='4'/>
<pages unit='KiB' size='2048'/>
<pages unit='KiB' size='1048576'/>
virsh domcapabilities (
--- dcap.old 2019-09-13 07:47:45.944614794 +0000
+++ dcap.new 2019-09-13 07:54:09.708864451 +0000
@@ -30,6 +30,7 @@
<feature policy='require' name='topoext'/>
<feature policy='require' name='perfctr_core'/>
<feature policy='require' name='invtsc'/>
+ <feature policy='require' name='amd-ssbd'/>
<feature policy='disable' name='monitor'/>
</mode>
<mode name='custom' supported='yes'>
Upgrade:
$ sudo apt install libvirt-daemon-system
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd libvirt0
Suggested packages:
libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-sheepdog
libvirt-daemon-driver-storage-zfs numad radvd auditd systemtap nfs-common
zfsutils pm-utils
The following packages will be upgraded:
libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd
libvirt-daemon-system libvirt0
5 upgraded, 0 newly installed, 0 to remove and 14 not upgraded.
Need to get 4116 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64
libvirt-daemon-driver-storage-rbd amd64 4.0.0-1ubuntu8.13 [15.4 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64
libvirt-daemon-system amd64 4.0.0-1ubuntu8.13 [80.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64
libvirt-daemon amd64 4.0.0-1ubuntu8.13 [2176 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64
libvirt-clients amd64 4.0.0-1ubuntu8.13 [596 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt0
amd64 4.0.0-1ubuntu8.13 [1248 kB]
Fetched 4116 kB in 1s (4660 kB/s)
Preconfiguring packages ...
(Reading database ... 71127 files and directories currently installed.)
Preparing to unpack
.../libvirt-daemon-driver-storage-rbd_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) over
(4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-daemon-system_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon-system (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-daemon_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-clients_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-clients (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt0_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt0:amd64 (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Setting up libvirt0:amd64 (4.0.0-1ubuntu8.13) ...
Setting up libvirt-daemon (4.0.0-1ubuntu8.13) ...
Setting up libvirt-clients (4.0.0-1ubuntu8.13) ...
Setting up libvirt-daemon-system (4.0.0-1ubuntu8.13) ...
virtlockd.service is a disabled or a static unit, not starting it.
Setting up libvirt-daemon dnsmasq configuration.
Setting up libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
I further used the named feature e.g. like:
<feature policy='disable' name='amd-ssbd'/>
in Guest config and it recognized it into qemu cmdline.
-cpu EPYC-IBPB,...,amd-ssbd=off
Without the new disabling host-model passes now:
...,amd-ssbd=on
The spectre checker finds the difference that the guest now gets the fix we
wanted it to have.
--- old.log 2019-09-13 08:01:49.919323740 +0000
+++ new.log 2019-09-13 08:02:45.244000000 +0000
@@ -10 +10 @@
- * SPEC_CTRL MSR is available: NO
+ * SPEC_CTRL MSR is available: YES
@@ -18 +18 @@
- * SPEC_CTRL MSR is available: NO
+ * SPEC_CTRL MSR is available: YES
@@ -22 +22 @@
- * CPU indicates SSBD capability: YES (AMD non-architectural MSR)
+ * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL)
@@ -77 +77 @@
-* Mitigated according to the /sys interface: NO (Vulnerable)
+* Mitigated according to the /sys interface: YES (Mitigation: Speculative
Store Bypass disabled via prctl and seccomp)
@@ -79,2 +79,3 @@
-* SSB mitigation is enabled and active: NO
-> STATUS: VULNERABLE (your CPU and kernel both support SSBD but the
mitigation is not active)
+* SSB mitigation is enabled and active: YES (per-thread through prctl)
+* SSB mitigation currently active for selected processes: YES
(systemd-hostnamed systemd-journald systemd-logind systemd-networkd
systemd-resolved systemd-timesyncd systemd-udevd)
+> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via
prctl and seccomp)
@@ -131 +132 @@
-> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK
CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK
CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
+> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK
CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK
CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
With that confirmed, setting verified
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5753
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12126
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12127
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12130
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3615
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3620
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3639
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3640
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-3646
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11091
** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840745
Title:
backport extended amd spectre mitigations
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1840745/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
