[pve-devel] [PATCH] cherry pick MDS fixes from stable 4.14.119
Thomas Lamprecht
t.lamprecht at proxmox.com
Wed May 15 08:24:14 CEST 2019
On 5/15/19 7:57 AM, Thomas Lamprecht wrote:
> With some manual merging, most of it straight forward, cherry-pick
> the all but the two PowerPC and S390 patches from the 4.14.119
> released by Greg KH[0]. It mainly comes with some mitigation for
> MDS[1][3][4][5], for best result a microupdate of the CPU is
> required, else the kernel falls back to some "best effort
> mitigation", trying to clear the CPU buffers on kernel/userspace,
> hypervisor/guest and C-state (idle) transitions.
>
> With this applied you will have a new file in sysfs to get the
> mitigation state of the server regarding MDS:
> $ cat /sys/devices/system/cpu/vulnerabilities/mds
>
> Microcode updates should come available in stretch with
> 3.20190514.1~deb9u1 [2] version currently only tagged[2], but not yet
> released.
>
> [0]: https://lwn.net/ml/linux-kernel/20190514180538.GA13245@kroah.com/
> [1]: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-strategy
> [2]: https://salsa.debian.org/hmh/intel-microcode/commits/debian/3.20190514.1_deb9u1
> [3]: https://mdsattacks.com/
> [4]: https://cpu.fail/
> [5]: https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
>
> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> ---
See also the 5.1.2 stable release announcement[0] for some other links and a little
more details from Linux perspective. As stated, this is probably not final and may
break some things, that said, my build here worked well without issues in a physical
cluster with VMs, CTs and ceph, so at least this isn't broken in a obvious way.
A look over this (@Fabian ;-) would still be great.
[0]: https://www.spinics.net/lists/stable/msg302862.html
More information about the pve-devel
mailing list