XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    "CROSSTalk" CPU vulnerabilty (cross-core data leak)

    Scheduled Pinned Locked Moved News
    29 Posts 8 Posters 6.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DanpD Offline
      Danp Pro Support Team
      last edited by

      Has anyone else encountered this issue? Wondering if these patches should be pulled until this gets resolved.

      1 Reply Last reply Reply Quote 0
      • stormiS Offline
        stormi Vates 🪐 XCP-ng Team
        last edited by stormi

        As far as I know, those patches work well on Citrix' test hosts. They also work well on our hosts at Vates. The microcodes underwent Intel's QA so I don't expect them to break on the vast majority of hardware, though there are reports of issues with some specific models. In @demanzke's case, reverting to the previous microcode did not fix the issue so at first it doesn't look like it's related to the microcode.

        1 Reply Last reply Reply Quote 0
        • stormiS Offline
          stormi Vates 🪐 XCP-ng Team
          last edited by stormi

          Intel just released updated microcode (actually it's a revert) for some models: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases

          I'll update the microcode_ctl package. The "older" microcode that is used instead is still recent enough to contain the fixes against CROSSTalk / SRBDS. Or so I had understood, but I can't find evidence about it.

          L 1 Reply Last reply Reply Quote 1
          • D Offline
            demanzke
            last edited by

            Thanks @Biggen and @stormi
            I'll try updating then removing the microcode_ctl package tomorrow and share the results.

            1 Reply Last reply Reply Quote 0
            • M Offline
              markxc
              last edited by

              Hi do i need to patch my xenserver using AMD EPYC ? Those patches get offered to my AMD nodes by XO.
              On intel Xeon nodes it makes sense to me ....

              1 Reply Last reply Reply Quote 0
              • olivierlambertO Offline
                olivierlambert Vates 🪐 Co-Founder CEO
                last edited by

                I would say: always apply patches, but you are free to reboot when you want. Obviously, for you, it won't change anything (no microcode update) but keeping your hosts up to date is a good practice 🙂

                1 Reply Last reply Reply Quote 1
                • L Offline
                  lefty @stormi
                  last edited by

                  @stormi said in "CROSSTalk" CPU vulnerabilty (cross-core data leak):

                  Intel just released updated microcode (actually it's a revert) for some models: https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/releases

                  I'll update the microcode_ctl package. The "older" microcode that is used instead is still recent enough to contain the fixes against CROSSTalk / SRBDS. Or so I had understood, but I can't find evidence about it.

                  So should I wait applying these updates? You seem to be unsure of which microcode version to distribute.

                  1 Reply Last reply Reply Quote 0
                  • stormiS Offline
                    stormi Vates 🪐 XCP-ng Team
                    last edited by

                    I'm unsure for Skylake. Not for other CPUs.

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      lefty
                      last edited by

                      Thanks for the clarification. No Skylake present, so I will proceed.

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        demanzke
                        last edited by demanzke

                        Finally got some time to test your suggestions.
                        Removing the microcode_ctl package without dependencies did not help.
                        Here are both initial ramdisks for anyone interested to look at.

                        Reinstalling XCP, then ZFS, then updating all packages worked fine.

                        stormiS 1 Reply Last reply Reply Quote 0
                        • stormiS Offline
                          stormi Vates 🪐 XCP-ng Team @demanzke
                          last edited by

                          @demanzke So this time no boot issue after installing the update?

                          D 1 Reply Last reply Reply Quote 0
                          • D Offline
                            demanzke @stormi
                            last edited by

                            @stormi Exactly. Must've been related to something other than just the latest packages.

                            1 Reply Last reply Reply Quote 1
                            • First post
                              Last post