security breach MDS processor XEON

olivierlambert

I think Intel doesn't provide microcode updates for Westmere CPUs for MDS sec issues, but I'm not sure. A bit of google around might be useful here.

Also, it depends on what kind of load and risk you are willing to take. Is your platform will run with trusted VMs? (VMs you have control and patches on it?) Are those VMs exposed outside?

araxy

@olivierlambert said in security breach MDS processor XEON:

En outre, cela dépend du type de charge et du risque que vous êtes prêt à assumer. Est-ce que votre plate-forme fonctionnera avec des machines virtuelles de confiance? (Les machines virtuelles que vous possédez sont-elles contrôlées?) Ces machines virtuelles sont-elles exposées à l'extérieur?

Virtual machines are exposed to the outside. It's websites

olivierlambert

Do you have root access/control on those VMs?

araxy

@olivierlambert said in security breach MDS processor XEON:

Avez-vous un accès / contrôle root sur ces VM?

Yes I have root access but I am not the only one to have access

olivierlambert

If you can't control who is having access on the VMs, the risk you have is side channel attacks to try to read the memory of other VMs.

Disabling HT will workaround the issue:

If you have any untrusted code running in VMs, and need to prevent the
risk of data leakage, the only available option at the moment is to
disable hyper-threading

https://xenbits.xen.org/xsa/advisory-297.html

araxy

@olivierlambert said in security breach MDS processor XEON:

hyper-threading

Disabling hyper-threading is losing half the power of the server ...

If people have access to VM but not root, is it good?

olivierlambert

Not really half but around 30% yes. That's the cost of keeping those old CPUs if you want to be really safe.

Also, it's always a cost/risk analysis. If you think people with shell access won't be able to escalate their privileges on the OS, you could be safe. But again, it's up to you to assess the risk. Does the risk worth 30% improve power? You are the only one able to answer for your own business

edit: note that question is similar to have pro support or not for XCP-ng.

araxy

@olivierlambert

Thank you for your answer.

I think that to answer the question of support pro is much more complicated.

A small company has just as you can see the problem of changing the servers because Intel does not want to maintain the old processors. It does not really help to afford a pro support.

In all honesty, if my computer park is up to date generation level (g9, g10), the first thing I would take is XCP pro support. But now my priority will be to already change the servers

Regards

olivierlambert

Sure, I was just telling that it's always a cost/risk analysis everytime

akurzawa

@araxy said in security breach MDS processor XEON:

@olivierlambert said in security breach MDS processor XEON:

hyper-threading

Disabling hyper-threading is losing half the power of the server ...

If people have access to VM but not root, is it good?

Do You have logs for CPU usage? In my VM environment the CPU utilization is not exceeding 25% for all the time. IDK how it looks on Your site but if I would disable HT I think it wouldn't be even noticeably in a matter of performance of VM's.