[pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Alexandre DERUMIER aderumier at odiso.com
Fri Jan 5 06:30:50 CET 2018


ubuntu have announced kernel patch for the 9th january (4.4 && 4.13)

https://insights.ubuntu.com/2018/01/04/ubuntu-updates-for-the-meltdown-spectre-vulnerabilities/

----- Mail original -----
De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag>
À: "pve-devel" <pve-devel at pve.proxmox.com>, "aderumier" <aderumier at odiso.com>
Envoyé: Jeudi 4 Janvier 2018 21:08:32
Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Here we go - attached is the relevant patch - extracted from the 
opensuse src.rpm. 

Greets, 
Stefan 


Am 04.01.2018 um 19:37 schrieb Alexandre DERUMIER: 
> seem that for spectre, cpumodel=qemu64|kvm64 is ok. 
> 
> but not for the 2 others cve 
> 
> On 04/01/2018 19:13, Alexandre DERUMIER wrote: 
>> Thanks Paolo ! 
>> 
>> Do we need to update guest kernel too, if qemu use cpumodel=qemu64 ? 
>> 
>> (For example, I have some very old guests where kernel update is not possible) 
> 
> If you want to be protected against the other two CVEs (one of which is 
> "Meltdown"), yes. 
> 
> Paolo 
> 
> 
> ----- Mail original ----- 
> De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag> 
> À: "pve-devel" <pve-devel at pve.proxmox.com> 
> Envoyé: Jeudi 4 Janvier 2018 19:25:44 
> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? 
> 
> Thanks! But that means we can update the kernel on the host which makes the host and vm jumping safe BUT multi user guests are still vulnerable as long as there are no qemu patches even if the guest has a current kernel. 
> 
> Greets, 
> Stefan 
> 
> Excuse my typo sent from my mobile phone. 
> 
>> Am 04.01.2018 um 19:09 schrieb Alexandre DERUMIER <aderumier at odiso.com>: 
>> 
>> From Paolo bonzini on qemu-devel 
>> 
>> -- 
>> _posts/ 2018-01-04 -spectre.md | 60 ++++++++++++++++++++++++++++++++++++++++++++ 
>> 1 file changed, 60 insertions(+) 
>> create mode 100644 _posts/ 2018-01-04 -spectre.md 
>> 
>> diff --git a/_posts/ 2018-01-04 -spectre.md b/_posts/ 2018-01-04 -spectre.md 
>> new file mode 100644 
>> index 0000000..1be86d0 
>> --- /dev/null 
>> +++ b/_posts/ 2018-01-04 -spectre.md 
>> @@ -0,0 +1,60 @@ 
>> +--- 
>> +layout: post 
>> +title: "QEMU and the Spectre and Meltdown attacks" 
>> +date: 2018-01-04 18:00:00 +0000 
>> +author: Paolo Bonzini and Eduardo Habkost 
>> +categories: [meltdown, spectre, security, x86] 
>> +--- 
>> +As you probably know by now, three critical architectural flaws in CPUs have 
>> +been recently disclosed that allow user processes to read kernel or hypervisor 
>> +memory through cache side-channel attacks. These flaws, collectively 
>> +named _Meltdown_ and _Spectre_, affect in one way or another almost 
>> +all processors that perform out-of-order execution, including x86 (from 
>> +Intel and AMD), POWER, s390 and ARM processors. 
>> + 
>> +No microcode updates are required to block the _Meltdown_ attack; it is 
>> +enough to update the guest operating system to a version that separates 
>> +the user and kernel address spaces (known as _page table isolation_ for 
>> +the Linux kernel). Therefore, this post will focus on _Spectre_, and 
>> +especially on [CVE-2017-5715]( [ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715 ] ). 
>> + 
>> +Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular, 
>> +requires cooperation between the processor and the operating system kernel or 
>> +hypervisor; the processor can be updated through microcode or millicode 
>> +patches to provide the required functionality. CVE-2017-5715 allows guests 
>> +to read potentially sensitive data from hypervisor memory; however, __patching 
>> +the host kernel is sufficient to block this attack__. 
>> + 
>> +On the other hand, in order to protect the guest kernel from a malicious 
>> +userspace, updates are also needed to the guest kernel and, depending on 
>> +the processor architecture, to QEMU. Just like on bare-metal, the guest 
>> +kernel will use the new functionality provided by the microcode or millicode 
>> +updates. When running under a hypervisor, processor emulation is mostly out of 
>> +QEMU's scope, so QEMU's role in the fix is small, but nevertheless important. 
>> +In the case of KVM: 
>> + 
>> +* QEMU configures the hypervisor to emulate a specific processor model. 
>> +For x86, QEMU has to be aware of new CPUID bits introduced by the microcode 
>> +update, and it must provide them to guests depending on how the guest is 
>> +configured. 
>> + 
>> +* upon virtual machine migration, QEMU reads the CPU state on the source 
>> +and transmits it to the destination. For x86, QEMU has to be aware of new 
>> +model specific registers (MSRs). 
>> + 
>> +Right now, there are no public patches to KVM that expose the new CPUID bits 
>> +and MSRs to the virtual machines, therefore there is no urgent need to update 
>> +QEMU; remember that __updating the host kernel is enough to protect the 
>> +host from malicious guests__. Nevertheless, updates will be posted to the 
>> +qemu-devel mailing list in the next few days, and a 2.11.1 patch release 
>> +will be released with the fix. 
>> + 
>> +As of today, the QEMU project is not aware of whether similar changes will 
>> +be required for non-x86 processors. If so, they will also posted to the 
>> +mailing list and backported to recent stable releases. 
>> + 
>> +For more information on the vulnerabilities, please refer to the [Google Security 
>> +Blog]( [ https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html | https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html ] ) 
>> +and [Google Project 
>> +Zero]( [ https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html | https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-with-side.html ] ) 
>> +posts on the topic, as well as the [Spectre and Meltdown FAQ]( [ https://meltdownattack.com/#faq | https://meltdownattack.com/#faq ] ). 
>> -- 
>> 2.14.3 
>> 
>> Alexandre Derumier 
>> Ingénieur système et stockage 
>> 
>> Manager Infrastructure 
>> 
>> 
>> Fixe : +33 3 59 82 20 10 
>> 
>> 
>> 
>> 125 Avenue de la république 
>> 59110 La Madeleine 
>> [ https://twitter.com/OdisoHosting ] [ https://twitter.com/mindbaz ] [ https://www.linkedin.com/company/odiso ] [ https://www.viadeo.com/fr/company/odiso ] [ https://www.facebook.com/monsiteestlent ] 
>> 
>> [ https://www.monsiteestlent.com/ | MonSiteEstLent.com ] - Blog dédié à la webperformance et la gestion de pics de trafic 
>> 
>> ----- Mail original ----- 
>> De: "Fabian Grünbichler" <f.gruenbichler at proxmox.com> 
>> À: "pve-devel" <pve-devel at pve.proxmox.com> 
>> Envoyé: Jeudi 4 Janvier 2018 09:50:04 
>> Objet: Re: [pve-devel] Updated qemu pkg needed for Meltdown and Spectre? 
>> 
>>> On Thu, Jan 04, 2018 at 07:17:54AM +0100, Stefan Priebe - Profihost AG wrote: 
>>> Hello, 
>>> 
>>> as far as i can see at least SuSE updated qemu for Meltdown and Spectre 
>>> to provide CPUID information to the guest. 
>>> 
>>> I think we need to patch qemu as well asap? Has anybody found the 
>>> relevant patches? 
>>> 
>>> https://www.pro-linux.de/sicherheit/2/41859/preisgabe-von-informationen-in-qemu.html 
>>> 
>>> Greets, 
>>> Stefan 
>> 
>> there seem to be no public (qemu) patches yet, once there are, we will 
>> review and include them. 
>> 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
>> 
>> _______________________________________________ 
>> pve-devel mailing list 
>> pve-devel at pve.proxmox.com 
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 
> _______________________________________________ 
> pve-devel mailing list 
> pve-devel at pve.proxmox.com 
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 
> 




More information about the pve-devel mailing list