Closed vpetersson closed 4 years ago
This also needs to be hidden in Vagrant/Virtualbox on Ubuntu 18.04.
Relevant data from GCP:
$ grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:KVM: Vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Vulnerable: Clear CPU buffers attempted, no microcode; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.0-174-generic root=UUID=6a8554fa-8e1d-4916-ba03-4ca3837feb34 ro console=ttyS0
$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Processor vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=(hd0,msdos1)/boot/vmlinuz-4.18.0-147.5.1.el8_1.x86_64 root=UUID=ac683356-370c-403a-b122-fcc90e993052 ro net.ifnames=0 biosdevname=0 scsi_mod.use_blk_mq=Y crashkernel=auto console=ttyS0,38400n8
$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/itlb_multihit:Processor vulnerable
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/mds:Mitigation: Clear CPU buffers; SMT Host state unknown
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: Load fences, usercopy/swapgs barriers and __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full retpoline, IBPB
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort:Not affected
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-3.10.0-1062.12.1.el7.x86_64 root=UUID=62213288-7643-4cbc-ba81-eba1f0b2376f ro crashkernel=auto console=ttyS0,38400n8 LANG=en_US.UTF-8
Vagrant: 2.0.2 VirtualBox: 5.2.34-dfsg-0~ubuntu18.04.1
$ sudo grep '' /sys/devices/system/cpu/vulnerabilities/*
/sys/devices/system/cpu/vulnerabilities/l1tf:Mitigation: PTE Inversion
/sys/devices/system/cpu/vulnerabilities/meltdown:Mitigation: PTI
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Vulnerable
/sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization
/sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full generic retpoline
$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-4.4.0-141-generic root=LABEL=cloudimg-rootfs ro console=tty1 console=ttyS0
@vpetersson What about Virtualbox? Shall we add an exception too? What about other Ubuntu's in Virtualbox?
@vpetersson More info on MDS mitigation statuses in kernel. I was wrong in saying that Ubuntu and CentOS kernels report the same status. "Vulnerable: Clear CPU buffers attempted, no microcode" and "Mitigation: Clear CPU buffers" are different.
The kernel and corresponding intel-microcode package updates fully address the MDS flaws if your processor does not support Hyper-Threads, also known as Symmetric Multi-Threading (SMT). MDS is not fully mitigated if your processor supports Hyper-Threads and Hyper-Threads are enabled. Ubuntu recommends disabling Hyper-Threads on affected systems if the system is used to execute untrusted or potentially malicious code
I tried installing intel-microcode
on our Ubuntu running in AWS, and that didn't do anything, I suspect the microcode didn't load. It did load in CentOS since the kernel doesn't complain.
@vpetersson What about Virtualbox? Shall we add an exception too?
If we don't have a fix, then yes, we should add an exception.
What about other Ubuntu's in Virtualbox?
Assuming all other Ubuntu versions have the same issue, then yes.
Remove check as it is unreliable and instead rely on CVE for this. Let's bring it back later.
5 complexity points
5
We're getting warnings for Meltdown/Spectr for Ubuntu 16.04 (on GCP) that cannot be resolved using kernel upgrades.
As discussed, our rule of thumb needs to be that we hide RAs that are unresolved (within reason).