XCP-ng Security Bulletin: MDS hardware vulnerabilities in Intel CPUs
-
Latest XCP-ng security bulletin, dedicated to the recently discovered MDS attacks on Intel CPUs. Update available but also requires extra steps for full mitigation.
Full story here: https://xcp-ng.org/blog/2019/05/21/xcp-ng-security-bulletin-mds-hardware-vulnerabilities-in-intel-cpus/
Raise your hands if you're still using XCP-ng 7.5 and badly need an update. As you know, we try to support the N-1 release of XCP-ng on a best-effort basis, but backporting the fixes may not be trivial, and 7.5 is very close from end of support from us with the upcoming release of XCP-ng 8.0.
-
No one raised their hands, and yet an update candidate for 7.5 is available with the fixes backported from 7.6.
Install it with
yum update --enablerepo='xcp-ng-updates_testing' microcode_ctl xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-toolsWe've tested it locally, works fine for us.
-
Intel has released updated microcode that I'm considering including in XCP-ng 8.0 and 7.6.
The main interesting thing is that it brings MDS attacks mitigation for the SandyBridge family of CPUs. But I also need feedback from people who'd install the new microcode on CPUs that already got the mitigation with the previous microcode update so they can report if everything still goes well (especialy check, after a reboot, that
xl dmesg | grep "Hardware features:"containsMD_CLEAR).To install the update:
- on XCP-ng 7.6:
yum update microcode_ctl --enablerepo='xcp-ng-updates_testing' - on XCP-ng 8.0:
yum update microcode_ctl --enablerepo='xcp-ng-testing'
To revert to the previous version:
- on both:
yum downgrade microcode_ctl
- on XCP-ng 7.6:
-
stormi I used this script to check: https://github.com/speed47/spectre-meltdown-checker
Maybe we should include it in the XCP-ng repo?olivierlambert the output of this script could maybe be displayed in XO, this would be a uniqe feature
-
I can say that's not trivial, because there is multiple levels: Xen, the host, and the VMs. To know if you are fully protected is far from being a simple story⦠As you might noted, just knowing if you have HT enabled is very complicated.
-
olivierlambert I know
just saw the json like output of the script and had this idea -
I did the update, the XCP-ng 7.6 bootet
but my testhost has no MD_CLEAR- Intel(R) Xeon(R) CPU E5620 @ 2.40GHz
- (from
xl dmesg) microcode: CPU0 updated from revision 0x14 to 0x1f, date = 2018-05-08
-
borzel What CPU family is it?
-
-
Testhost at home updated
- XCP-ng 8.0 beta
- CPU: i5-4430 (Haswell) https://ark.intel.com/content/www/de/de/ark/products/75036/intel-core-i5-4430-processor-6m-cache-up-to-3-20-ghz.html
(XEN) [ 0.000000] Hardware features: IBRS/IBPB STIBP L1D_FLUSH SSBD MD_CLEAR
Host started just fine, Win10 VM startetd also.
