[pve-devel] missing cpu flags? (CVE-2018-3639)

Alexandre DERUMIER aderumier at odiso.com
Mon Aug 20 17:43:28 CEST 2018


>>This need qemu 3.0 :/ 

Oh, it seem that they are already in qemu 2.11.2  :)


----- Mail original -----
De: "Alexandre Derumier" <aderumier at odiso.com>
À: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Lundi 20 Août 2018 17:19:36
Objet: Re: [pve-devel] missing cpu flags? (CVE-2018-3639)

Hi Stefan, 

thanks for the infos! 


>>At least ssbd is important for guest to mitigate CVE-2018-3639. 

This need qemu 3.0 :/ 

https://wiki.qemu.org/ChangeLog/3.0 

"The 'ssbd', 'virt-ssbd', 'amd-ssbd' and 'amd-no-ssb' CPU feature flags are added in relation to the "Speculative Store Bypass" hardware vulnerability (CVE-2018-3639)" 


maybe can we try to backport them ? 

https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd 
https://git.qemu.org/?p=qemu.git;a=commit;h=d19d1f965904a533998739698020ff4ee8a103da 
https://git.qemu.org/?p=qemu.git;a=commit;h=403503b162ffc33fb64cfefdf7b880acf41772cd 

>>It also seems to make sense to enable pdpe1gb 

is it related to a vulnerability ? 

it's already possible to use hugepage currently with "hugepages: <1024 | 2 | any>". But it's only on the qemu/hostside. 
I think pdpe1gb expose hugepage inside the guest, right ? 


----- Mail original ----- 
De: "Stefan Priebe, Profihost AG" <s.priebe at profihost.ag> 
À: "pve-devel" <pve-devel at pve.proxmox.com> 
Envoyé: Vendredi 17 Août 2018 13:30:10 
Objet: [pve-devel] missing cpu flags? (CVE-2018-3639) 

Hello, 

after researching l1tf mitigation for qemu and reading https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/ 

It seems pve misses at least the following cpu flag: 
ssbd 

It also seems to make sense to enable pdpe1gb 

At least ssbd is important for guest to mitigate CVE-2018-3639. 

Greets, 
Stefan 

Excuse my typo sent from my mobile phone. 
_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 

_______________________________________________ 
pve-devel mailing list 
pve-devel at pve.proxmox.com 
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel 




More information about the pve-devel mailing list