On 01/04/2018 10:46 AM, Eric Blake wrote:
One thing that might happen: the papers describing the flaws mention
that side effects of speculative execution in hardware is a root cause
for all three related vulnerabilities (two under the name Spectre and
one under the name Meltdown) just made public; so it is conceivable that
hardware vendors may offer a microcode update that enables run-time
enabling/disabling of speculative execution (a tradeoff of speed vs.
security; disabling speculative execution would prevent leaks, but kill
performance).
Indeed, that's part of what has already happened - Intel and AMD are
both providing new microcode that adds new processor capability bits for
controlling the use of speculative execution while executing kernel
code; and part of the updates you will need to protect against Spectre
include updating to that new microcode, updating the kernel to take
advantage of the new processor capabilities, updating qemu to migrate
the CPUID state of those new capabilities, and updating libvirt's CPU
models to include those new CPUID states. For maximum protection, you
have to update both host and guest kernels. The updates do come with
performance penalties, so you will also want to benchmark what the
updates will do to your deployments, and consider whether you have
sufficient security via other means to avoid having to use the slowdowns
entailed by generically disabling speculative execution in the kernel if
you have a high-performance situation that is sufficiently isolated, vs.
using the patches and taking the performance hit if you cannot ensure
that no other process on the machine will ever attempt to abuse the
effects of Spectre.
More details can be learned from this blog post:
https://www.qemu.org/2018/01/04/spectre/
And yes, there are still patches and updates coming down the pipeline
(the embargo was lifted at a point when not all patches were fully
baked), so if you are planning mass upgrades, be sure you factor in the
availability of patches into your timeline.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization:
qemu.org |
libvirt.org