[pve-devel] Updated qemu pkg needed for Meltdown and Spectre?

Fabian Grünbichler f.gruenbichler at proxmox.com
Fri Jan 5 21:41:36 CET 2018


On Fri, Jan 05, 2018 at 06:50:33PM +0100, Waschbüsch IT-Services GmbH wrote:
> 
> > Am 05.01.2018 um 11:25 schrieb Fabian Grünbichler <f.gruenbichler at proxmox.com>:
> > 
> > On Thu, Jan 04, 2018 at 09:08:32PM +0100, Stefan Priebe - Profihost AG wrote:
> >> 
> >> Here we go - attached is the relevant patch - extracted from the
> >> opensuse src.rpm.
> > 
> > this will most likely not be needed for some time, since a pre-requisite
> > is having microcode and kernels supporting IBRS and IBPB.
> > 
> > the microcode update is still on-going (e.g., some vendors like Lenovo,
> > Suse and RH have started releasing updates, but Intel still does not
> > have a public package yet and Debian's partial update is only in
> > unstable so far, likely taking at least a week to hit Stretch, and needs
> > non-free enabled).
> > 
> > the kernel changes have been submitted by Intel as a first draft for
> > discussion upstream.
> > 
> > the current plan is to release updated kernel packages ASAP based on 4.4
> > and 4.13 with
> > - final, tested KPTI patches (not yet available for 4.4 and 4.13!) to
> >  fix MELTDOWN for the host kernel
> > - backport / cherry-pick of KVM commit to prevent KVM guest->host
> >  SPECTRE exploit
> 
> 
> AFAIK Meltdown is only affecting Intel (& ARM), but not AMD - see 'Forcing direct cache loads' here:
> 
> https://lwn.net/SubscriberLink/742702/83606d2d267c0193/ <https://lwn.net/SubscriberLink/742702/83606d2d267c0193/>
> 
> Does anyone know if the current patching efforts will differentiate between Intel and AMD x86-64 offerings?
> 
> I would hate to update kernels with these patches unless my systems are indeed affected.
> Not because of possible performance impacts, mind, but because of stability.
> I just feel it in my bones this major intervention is going to introduce regressions... :-(

the Meltdown fix (KPTI) is disabled on AMD by default (and also
possible to disable using a kernel parameter on all platforms).

the (planned) Spectre fixes (Retpoline, IBRS and IBPB) are for all/most
platforms and vendors, some of them will likely be exposed as kernel
parameters, but some of them will likely only available as compile time
options or not tunable at all.




More information about the pve-devel mailing list