[Qemu-devel] Qemu and Spectre_V4 + l1tf + IBRS_FW

[Qemu-devel] Qemu and Spectre_V4 + l1tf + IBRS_FW

[Stefan Priebe - Profihost AG]

Hello,

i haven't found anything on the web regarding qemu and mentioned variants.

While my host says:
l1tf:Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional
cache flushes
meltdown:Mitigation: PTI
spec_store_bypass:Mitigation: Speculative Store Bypass disabled via
prctl and seccomp
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW

My guests bootet with pcid and spec-ctrl only say:
l1tf:Mitigation: PTE Inversion
meltdown:Mitigation: PTI
spec_store_bypass:Vulnerable
spectre_v1:Mitigation: __user pointer sanitization
spectre_v2:Mitigation: Full generic retpoline, IBPB

* What is about spec_store_bypass in Qemu?
* What is about IBRS_FW feature?
* What is about L1TF?

Or are those just irrelevant to Qemu guests? Would be great to have some
informations.

Thanks a lot!

Greets,
Stefan

Re: [Qemu-devel] Qemu and Spectre_V4 + l1tf + IBRS_FW

[Daniel P. Berrangé]

On Fri, Aug 17, 2018 at 08:44:38AM +0200, Stefan Priebe - Profihost AG wrote:
> Hello,
> 
> i haven't found anything on the web regarding qemu and mentioned variants.
> 
> While my host says:
> l1tf:Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional
> cache flushes
> meltdown:Mitigation: PTI
> spec_store_bypass:Mitigation: Speculative Store Bypass disabled via
> prctl and seccomp
> spectre_v1:Mitigation: __user pointer sanitization
> spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
> 
> My guests bootet with pcid and spec-ctrl only say:
> l1tf:Mitigation: PTE Inversion
> meltdown:Mitigation: PTI
> spec_store_bypass:Vulnerable
> spectre_v1:Mitigation: __user pointer sanitization
> spectre_v2:Mitigation: Full generic retpoline, IBPB
> 
> * What is about spec_store_bypass in Qemu?

The guest needs an 'ssbd' feature for Intel CPU models and either a
'virt-ssbd' or 'amd-ssbd' feature for AMD CPU models.

> * What is about IBRS_FW feature?

I'm not sure what IBRS_FW is referring to, but don't worry about it.
The fact the the guest kernel says "Mitigation" instead of "Vulnerable"
means you are protected with your current config.

For Intel CPU models Spectre v2 needs the guest to have the 'spec-ctrl'
feature. On AMD models Spectre v2 the guest needs 'ibpb' feature.

> * What is about L1TF?

No extra CPU flags are required for QEMU guests for L1TF. The new CPU
feature is merely an perf optimization for the host hypervisor fixes.

Note that with L1TF there are extra steps you need to consider wrt
hyperthreading, that won't be reflected in the 'vulnerabilities'
data published by the kernel.

You can read more about the procedure for dealing with L1TF in
virt hosts in the "Resolve" tab of this article:

  https://access.redhat.com/security/vulnerabilities/L1TF

> Or are those just irrelevant to Qemu guests? Would be great to have some
> informations.

We have some QEMU docs providing guidance on guest CPU model/feature config
but they are not yet published. In the meantime this blog post of mine gives
the same info, covering what's needed for Spectre v2, Meltdown and SSBD and
guidance in general for CPU config:

  https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

Re: [Qemu-devel] Qemu and Spectre_V4 + l1tf + IBRS_FW

[Stefan Priebe - Profihost AG]

Am 17.08.2018 um 11:41 schrieb Daniel P. Berrangé:
> On Fri, Aug 17, 2018 at 08:44:38AM +0200, Stefan Priebe - Profihost AG wrote:
>> Hello,
>>
>> i haven't found anything on the web regarding qemu and mentioned variants.
>>
>> While my host says:
>> l1tf:Mitigation: PTE Inversion; VMX: SMT vulnerable, L1D conditional
>> cache flushes
>> meltdown:Mitigation: PTI
>> spec_store_bypass:Mitigation: Speculative Store Bypass disabled via
>> prctl and seccomp
>> spectre_v1:Mitigation: __user pointer sanitization
>> spectre_v2:Mitigation: Full generic retpoline, IBPB, IBRS_FW
>>
>> My guests bootet with pcid and spec-ctrl only say:
>> l1tf:Mitigation: PTE Inversion
>> meltdown:Mitigation: PTI
>> spec_store_bypass:Vulnerable
>> spectre_v1:Mitigation: __user pointer sanitization
>> spectre_v2:Mitigation: Full generic retpoline, IBPB
>>
>> * What is about spec_store_bypass in Qemu?
> 
> The guest needs an 'ssbd' feature for Intel CPU models and either a
> 'virt-ssbd' or 'amd-ssbd' feature for AMD CPU models.

Ah thanks. That works fine.

>> * What is about IBRS_FW feature?
> 
> I'm not sure what IBRS_FW is referring to, but don't worry about it.
> The fact the the guest kernel says "Mitigation" instead of "Vulnerable"
> means you are protected with your current config.
> 
> For Intel CPU models Spectre v2 needs the guest to have the 'spec-ctrl'
> feature. On AMD models Spectre v2 the guest needs 'ibpb' feature.
> 
>> * What is about L1TF?
> 
> No extra CPU flags are required for QEMU guests for L1TF. The new CPU
> feature is merely an perf optimization for the host hypervisor fixes.
> 
> Note that with L1TF there are extra steps you need to consider wrt
> hyperthreading, that won't be reflected in the 'vulnerabilities'
> data published by the kernel.
> 
> You can read more about the procedure for dealing with L1TF in
> virt hosts in the "Resolve" tab of this article:
> 
>   https://access.redhat.com/security/vulnerabilities/L1TF
> 
>> Or are those just irrelevant to Qemu guests? Would be great to have some
>> informations.
> 
> We have some QEMU docs providing guidance on guest CPU model/feature config
> but they are not yet published. In the meantime this blog post of mine gives
> the same info, covering what's needed for Spectre v2, Meltdown and SSBD and
> guidance in general for CPU config:
> 
>   https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/

Thanks, that one was really helpful.

Greets,
Stefan