[pve-devel] missing cpu flags? (CVE-2018-3639)

Alexandre DERUMIER aderumier at odiso.com
Mon Aug 20 17:19:36 CEST 2018


Hi Stefan,

thanks for the infos!


>>At least ssbd is important for guest to mitigate CVE-2018-3639. 

This need qemu 3.0 :/

https://wiki.qemu.org/ChangeLog/3.0

"The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)"


maybe can we try to backport them ?

https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd
https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da
https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd

>>It also seems to make sense to enable pdpe1gb 

is it related to a vulnerability ?

it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside.
I think pdpe1gb expose hugepage inside the guest, right ?


----- Mail original -----
De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Vendredi 17 Août 2018 13:30:10
Objet: [pve-devel] missing cpu flags? (CVE-2018-3639)

Hello, 

after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/ 

It seems pve misses at least the following cpu flag: 
ssbd 

It also seems to make sense to enable pdpe1gb 

At least ssbd is important for guest to mitigate CVE-2018-3639. 

Greets, 
Stefan 

Excuse my typo sent from my mobile phone. 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list