[pve-devel] missing cpu flags? (CVE-2018-3639)
Alexandre DERUMIER
aderumier at odiso.com
Mon Aug 20 17:19:36 CEST 2018
Hi Stefan,
thanks for the infos!
>>At least ssbd is important for guest to mitigate CVE-2018-3639.
This need qemu 3.0 :/
https://wiki.qemu.org/ChangeLog/3.0
"The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)"
maybe can we try to backport them ?
https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd
https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da
https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd
>>It also seems to make sense to enable pdpe1gb
is it related to a vulnerability ?
it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside.
I think pdpe1gb expose hugepage inside the guest, right ?
----- Mail original -----
De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 17 Août 2018 13:30:10
Objet: [pve-devel] missing cpu flags? (CVE-2018-3639)
Hello,
after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/
It seems pve misses at least the following cpu flag:
ssbd
It also seems to make sense to enable pdpe1gb
At least ssbd is important for guest to mitigate CVE-2018-3639.
Greets,
Stefan
Excuse my typo sent from my mobile phone.
_______________________________________________
pve-devel mailing list
pve-devel at pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
More information about the pve-devel
mailing list