You said this might have been resolved differently anyway with the newest kernel having again hle/rtm enabled - I haven't heard about it but that would probably be even better. Lets see on the kernel side. - Fixes for CVE-2019-11135 got added in 4.15.0-69.78 - This was reported against 4.15.0-70 - Wondering about 4.15.0-72 being ok again
Reading the latest state of Documentation/admin-guide/hw-vuln/tsx_async_abort.rst shows: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html#mitigation-control-on-the-kernel-command-line 212 tsx=on tsx_async_abort=full The system will use VERW to clear CPU 213 buffers. Cross-thread attacks are still 214 possible on SMT machines. 215 tsx=on tsx_async_abort=full,nosmt As above, cross-thread attacks on SMT 216 mitigated. 217 tsx=on tsx_async_abort=off The system is vulnerable. 218 tsx=off tsx_async_abort=full TSX might be disabled if microcode 219 provides a TSX control MSR. If so, 220 system is not vulnerable. 221 tsx=off tsx_async_abort=full,nosmt Ditto 222 tsx=off tsx_async_abort=off ditto Maybe the initial take was tsx=off which would switch off those flags. But now is any of the tsx=on but with full mitigations? But I'm guessing at this point. I have not found a clear kernel change since then (not until 4.15.0-73.82, but even less so between .70 and .72) that would change these. The only related "- x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs" seems to only affect print output, but not change behavior. Furthermore none of the systems I have has got hle/rtm back since then. @Nobuto - has your system any of the above kernel parameters set manually? I haven't heard from this by sbeattie or others after my last update. Lets ping security to be sure this hasn't been forgotten. (I have done that on IRC as well) @Security - any updates on this from your side? ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-11135 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1853200 Title: cpu features hle and rtm disabled for security are present in /usr/share/libvirt/cpu_map.xml To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1853200/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
