[pve-devel] [PATCH] cherry pick MDS fixes from stable 4.14.119

Thomas Lamprecht t.lamprecht at proxmox.com
Wed May 15 08:44:29 CEST 2019


On 5/15/19 8:24 AM, Thomas Lamprecht wrote:
> On 5/15/19 7:57 AM, Thomas Lamprecht wrote:
>> With some manual merging, most of it straight forward, cherry-pick
>> the all but the two PowerPC and S390 patches from the 4.14.119
>> released by Greg KH[0]. It mainly comes with some mitigation for
>> MDS[1][3][4][5], for best result a microupdate of the CPU is
>> required, else the kernel falls back to some "best effort
>> mitigation", trying to clear the CPU buffers on kernel/userspace,
>> hypervisor/guest and C-state (idle) transitions.
>>
>> With this applied you will have a new file in sysfs to get the
>> mitigation state of the server regarding MDS:
>>  $ cat /sys/devices/system/cpu/vulnerabilities/mds
>>
>> Microcode updates should come available in stretch with
>> 3.20190514.1~deb9u1 [2] version currently only tagged[2], but not yet
>> released.
>>
>> [0]: https://lwn.net/ml/linux-kernel/20190514180538.GA13245@kroah.com/
>> [1]: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-strategy
>> [2]: https://salsa.debian.org/hmh/intel-microcode/commits/debian/3.20190514.1_deb9u1
>> [3]: https://mdsattacks.com/
>> [4]: https://cpu.fail/
>> [5]: https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html
>>
>> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
>> ---
> 
> See also the 5.1.2 stable release announcement[0] for some other links and a little
> more details from Linux perspective. As stated, this is probably not final and may
> break some things, that said, my build here worked well without issues in a physical
> cluster with VMs, CTs and ceph, so at least this isn't broken in a obvious way.
> 
> A look over this (@Fabian ;-) would still be great.

OK, scratch that, let's just use Ubuntu-4.15.0-50.54 [0] which has this too, while
it was commited > 8days ago I swear that I did not see it yesterday evening before
starting the backport work, maybe it just was to late...

[0]: https://kernel.ubuntu.com/git/ubuntu/ubuntu-bionic.git/tag/?h=Ubuntu-4.15.0-50.54




More information about the pve-devel mailing list