XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "CROSSTalk" CPU vulnerabilty (cross-core data leak)

    Scheduled Pinned Locked Moved News
    29 Posts 8 Posters 6.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stormiS Offline
      stormi Vates 🪐 XCP-ng Team
      last edited by stormi

      As far as I know, those patches work well on Citrix' test hosts. They also work well on our hosts at Vates. The microcodes underwent Intel's QA so I don't expect them to break on the vast majority of hardware, though there are reports of issues with some specific models. In @demanzke's case, reverting to the previous microcode did not fix the issue so at first it doesn't look like it's related to the microcode.

      1 Reply Last reply Reply Quote 0
      • stormiS Offline
        stormi Vates 🪐 XCP-ng Team
        last edited by stormi

        Intel just released updated microcode (actually it's a revert) for some models: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases

        I'll update the microcode_ctl package. The "older" microcode that is used instead is still recent enough to contain the fixes against CROSSTalk / SRBDS. Or so I had understood, but I can't find evidence about it.

        L 1 Reply Last reply Reply Quote 1
        • D Offline
          demanzke
          last edited by

          Thanks @Biggen and @stormi
          I'll try updating then removing the microcode_ctl package tomorrow and share the results.

          1 Reply Last reply Reply Quote 0
          • M Offline
            markxc
            last edited by

            Hi do i need to patch my xenserver using AMD EPYC ? Those patches get offered to my AMD nodes by XO.
            On intel Xeon nodes it makes sense to me ....

            1 Reply Last reply Reply Quote 0
            • olivierlambertO Offline
              olivierlambert Vates 🪐 Co-Founder CEO
              last edited by

              I would say: always apply patches, but you are free to reboot when you want. Obviously, for you, it won't change anything (no microcode update) but keeping your hosts up to date is a good practice 🙂

              1 Reply Last reply Reply Quote 1
              • L Offline
                lefty @stormi
                last edited by

                @stormi said in "CROSSTalk" CPU vulnerabilty (cross-core data leak):

                Intel just released updated microcode (actually it's a revert) for some models: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases

                I'll update the microcode_ctl package. The "older" microcode that is used instead is still recent enough to contain the fixes against CROSSTalk / SRBDS. Or so I had understood, but I can't find evidence about it.

                So should I wait applying these updates? You seem to be unsure of which microcode version to distribute.

                1 Reply Last reply Reply Quote 0
                • stormiS Offline
                  stormi Vates 🪐 XCP-ng Team
                  last edited by

                  I'm unsure for Skylake. Not for other CPUs.

                  1 Reply Last reply Reply Quote 0
                  • L Offline
                    lefty
                    last edited by

                    Thanks for the clarification. No Skylake present, so I will proceed.

                    1 Reply Last reply Reply Quote 0
                    • D Offline
                      demanzke
                      last edited by demanzke

                      Finally got some time to test your suggestions.
                      Removing the microcode_ctl package without dependencies did not help.
                      Here are both initial ramdisks for anyone interested to look at.

                      Reinstalling XCP, then ZFS, then updating all packages worked fine.

                      stormiS 1 Reply Last reply Reply Quote 0
                      • stormiS Offline
                        stormi Vates 🪐 XCP-ng Team @demanzke
                        last edited by

                        @demanzke So this time no boot issue after installing the update?

                        D 1 Reply Last reply Reply Quote 0
                        • D Offline
                          demanzke @stormi
                          last edited by

                          @stormi Exactly. Must've been related to something other than just the latest packages.

                          1 Reply Last reply Reply Quote 1
                          • First post
                            Last post