6:19 a.m.
As CVE-2017-5715 described on https://access.redhat.com/security/cve/cve-2017-5715,
libvirt under the influence yet, So what's coming next for this?
Signed-off-by: Wang King <king.wang(a)huawei.com>
--
2.8.3
6:51 a.m.
On Thu, Jan 04, 2018 at 20:19:51 +0800, Wang King wrote:
As CVE-2017-5715 described on
https://access.redhat.com/security/cve/cve-2017-5715,
libvirt under the influence yet, So what's coming next for this?
We're waiting for QEMU patches since libvirt can't do much with this
issue by itself.
Jirka
10:46 a.m.
On 01/04/2018 06:51 AM, Jiri Denemark wrote:
On Thu, Jan 04, 2018 at 20:19:51 +0800, Wang King wrote:
> As CVE-2017-5715 described on https://access.redhat.com/security/cve/cve-2017-5715,
> libvirt under the influence yet, So what's coming next for this?
We're waiting for QEMU patches since libvirt can't do much with this
issue by itself.
I'm by no means an expert on the topic, but from my cursory reading of
the information made public yesterday, it was mentioned that one way to
trigger the architectural exploit was across hypercalls; hence, the
entire virtualization stack was listed as associated with the CVE (thus
including libvirt), even if the patches for the issues will not be
required against all affected software. Although a complete fix may be
impossible without hardware changes, software mitigations may be added
at various or multiple levels of the software stack to minimize the
chance of the exploit being able to leak information that should have
been protected by security boundaries. In particular, updating your
kernel to include patches for Meltdown is an important step to take now,
for any system where you have a vulnerable kernel running libvirt to
manage untrusted guests; even though the kernel patch against Meltdown
does not necessarily mitigate the Spectre aspects of the hardware
vulnerabilities.
One thing that might happen: the papers describing the flaws mention
that side effects of speculative execution in hardware is a root cause
for all three related vulnerabilities (two under the name Spectre and
one under the name Meltdown) just made public; so it is conceivable that
hardware vendors may offer a microcode update that enables run-time
enabling/disabling of speculative execution (a tradeoff of speed vs.
security; disabling speculative execution would prevent leaks, but kill
performance). It may be that such hardware knobs will then have to have
emulation counterpart knobs exposed in qemu, at which point libvirt XML
may want to be enhanced to allow the end user a choice between which
execution style to expose in an L1 guest (and thereby controlling the
security of untrusted L2 guests being run by the L1 guest), similarly to
how your host kernel would have a way to tweak such a knob at the
hardware L0 execution layer for managing what can be leaked by
hypercalls from L1 guests. But this is speculation on my part on what
may be coming; the CVE references exist to document the hardware flaw
and gracefully track any such software tweaks added for mitigating the
hardware problem, even if no libvirt patches related to the CVE are
currently in the pipeline.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
7:42 a.m.
New subject: [libvirt] [Libvirt-Security] About CVE-2017-5715
On 01/04/2018 10:46 AM, Eric Blake wrote:
One thing that might happen: the papers describing the flaws mention
that side effects of speculative execution in hardware is a root cause
for all three related vulnerabilities (two under the name Spectre and
one under the name Meltdown) just made public; so it is conceivable that
hardware vendors may offer a microcode update that enables run-time
enabling/disabling of speculative execution (a tradeoff of speed vs.
security; disabling speculative execution would prevent leaks, but kill
performance).
Indeed, that's part of what has already happened - Intel and AMD are
both providing new microcode that adds new processor capability bits for
controlling the use of speculative execution while executing kernel
code; and part of the updates you will need to protect against Spectre
include updating to that new microcode, updating the kernel to take
advantage of the new processor capabilities, updating qemu to migrate
the CPUID state of those new capabilities, and updating libvirt's CPU
models to include those new CPUID states. For maximum protection, you
have to update both host and guest kernels. The updates do come with
performance penalties, so you will also want to benchmark what the
updates will do to your deployments, and consider whether you have
sufficient security via other means to avoid having to use the slowdowns
entailed by generically disabling speculative execution in the kernel if
you have a high-performance situation that is sufficiently isolated, vs.
using the patches and taking the performance hit if you cannot ensure
that no other process on the machine will ever attempt to abuse the
effects of Spectre.
More details can be learned from this blog post:
https://www.qemu.org/2018/01/04/spectre/
And yes, there are still patches and updates coming down the pipeline
(the embargo was lifted at a point when not all patches were fully
baked), so if you are planning mass upgrades, be sure you factor in the
availability of patches into your timeline.
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3266
Virtualization: qemu.org | libvirt.org
2513
days inactive
2514
days old
3 comments
3 participants
participants (3)
-
Eric Blake -
Jiri Denemark -
Wang King