intel

Bug #1828495
Comment #18

Comment 18 for bug 1828495

Revision history for this message

Rafael David Tinoco (rafaeldtinoco) wrote on 2019-06-21:

#18

*) SUMMARY:

In between the old and new QEMU, changed results for the mitigations checker was:

#### DIFF between old QEMU and this new one

Hardware check

* Hardware support (CPU microcode) for mitigation techniques

  * Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability: YES
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability: YES

* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO): YES

* CPU/Hypervisor indicates L1D flushing is not necessary on this system: NO

--------

* CPU vulnerability to the speculative execution attack variants

  * Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load): NO
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault): NO
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault): NO

--------

## CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'

OLD QEMU:

* Mitigated according to the /sys interface: YES (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support: YES
    * IBRS enabled and active: YES (for firmware code only)
  * Kernel is compiled with IBPB support: YES
    * IBPB enabled and active: YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm): NO
  * Kernel compiled with retpoline option: YES
    * Kernel compiled with a retpoline-aware compiler: YES (kernel reports full retpoline compilation)
  * Kernel supports RSB filling: YES

> STATUS: NOT VULNERABLE (Full retpoline + IBPB are mitigating the vulnerability)

NEW QEMU:

* Mitigated according to the /sys interface: YES (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support: YES
    * IBRS enabled and active: YES
  * Kernel is compiled with IBPB support: YES
    * IBPB enabled and active: YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm): NO
  * Kernel compiled with retpoline option: YES
  * Kernel supports RSB filling: YES

> STATUS: NOT VULNERABLE (IBRS + IBPB are mitigating the vulnerability)

## CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'

OLD QEMU:

* Mitigated according to the /sys interface: YES (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: YES
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO

> STATUS: NOT VULNERABLE (Mitigation: PTI)

NEW QEMU:

* Mitigated according to the /sys interface: YES (Not affected)
* Kernel supports Page Table Isolation (PTI): YES
* PTI enabled and active: NO
* Reduced performance impact of PTI: YES (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU: NO

> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

OLD QEMU:

## CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'

* Mitigated according to the /sys interface: YES (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
* Kernel supports PTE inversion: YES (found in kernel image)
* PTE inversion enabled and active: YES

> STATUS: NOT VULNERABLE (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

NEW QEMU:

## CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'

* CPU microcode mitigates the vulnerability: N/A

> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

OLD QEMU:

## CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'

* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
  * EPT is disabled: NO
* Mitigation 2
  * L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
  * L1D flush enabled: YES (conditional flushes)
  * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled: NO

> STATUS: NOT VULNERABLE (this system is not running a hypervisor)

## CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'

* Information from the /sys interface: Not affected
* This system is a host running a hypervisor: NO
* Mitigation 1 (KVM)
  * EPT is disabled: NO
* Mitigation 2
  * L1D flush is supported by kernel: YES (found flush_l1d in kernel image)
  * L1D flush enabled: NO
  * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled: NO

> STATUS: NOT VULNERABLE (your CPU vendor reported your CPU model as not vulnerable)

*) SUMMARY:

In between the old and new QEMU, changed results for the mitigations checker was:

#### DIFF between old QEMU and this new one

Hardware check

* Hardware support (CPU microcode) for mitigation techniques

* Enhanced IBRS (IBRS_ALL)
    * CPU indicates ARCH_CAPABILITIES MSR availability:  YES
    * ARCH_CAPABILITIES MSR advertises IBRS_ALL capability:  YES

* CPU explicitly indicates not being vulnerable to Meltdown/L1TF (RDCL_NO):  YES

* CPU/Hypervisor indicates L1D flushing is not necessary on this system:  NO

--------

* CPU vulnerability to the speculative execution attack variants

* Vulnerable to CVE-2017-5754 (Variant 3, Meltdown, rogue data cache load):  NO
  * Vulnerable to CVE-2018-3620 (Foreshadow-NG (OS), L1 terminal fault):  NO
  * Vulnerable to CVE-2018-3646 (Foreshadow-NG (VMM), L1 terminal fault):  NO

--------

## CVE-2017-5715 aka 'Spectre Variant 2, branch target injection'

OLD QEMU:

* Mitigated according to the /sys interface:  YES  (Mitigation: Full generic retpoline, IBPB: conditional, IBRS_FW, STIBP: disabled, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  YES  (for firmware code only)
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
    * Kernel compiled with a retpoline-aware compiler:  YES  (kernel reports full retpoline compilation)
  * Kernel supports RSB filling:  YES

> STATUS:  NOT VULNERABLE  (Full retpoline + IBPB are mitigating the vulnerability)

NEW QEMU:

* Mitigated according to the /sys interface:  YES  (Mitigation: Enhanced IBRS, IBPB: conditional, RSB filling)
* Mitigation 1
  * Kernel is compiled with IBRS support:  YES
    * IBRS enabled and active:  YES
  * Kernel is compiled with IBPB support:  YES
    * IBPB enabled and active:  YES
* Mitigation 2
  * Kernel has branch predictor hardening (arm):  NO
  * Kernel compiled with retpoline option:  YES
  * Kernel supports RSB filling:  YES

> STATUS:  NOT VULNERABLE  (IBRS + IBPB are mitigating the vulnerability)

## CVE-2017-5754 aka 'Variant 3, Meltdown, rogue data cache load'

OLD QEMU:

* Mitigated according to the /sys interface:  YES  (Mitigation: PTI)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  YES
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO

> STATUS:  NOT VULNERABLE  (Mitigation: PTI)

NEW QEMU:

* Mitigated according to the /sys interface:  YES  (Not affected)
* Kernel supports Page Table Isolation (PTI):  YES
  * PTI enabled and active:  NO
  * Reduced performance impact of PTI:  YES  (CPU supports INVPCID, performance impact of PTI will be greatly reduced)
* Running as a Xen PV DomU:  NO

> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

OLD QEMU:

## CVE-2018-3620 aka 'Foreshadow-NG (OS), L1 terminal fault'

* Mitigated according to the /sys interface:  YES  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)
* Kernel supports PTE inversion:  YES  (found in kernel image)
* PTE inversion enabled and active:  YES

> STATUS:  NOT VULNERABLE  (Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled)

NEW QEMU:

## CVE-2018-3615 aka 'Foreshadow (SGX), L1 terminal fault'

* CPU microcode mitigates the vulnerability:  N/A

> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)

OLD QEMU:

## CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'

* Information from the /sys interface: Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT disabled
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  NO
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in kernel image)
  * L1D flush enabled:  YES  (conditional flushes)
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  NO

> STATUS:  NOT VULNERABLE  (this system is not running a hypervisor)

## CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'

* Information from the /sys interface: Not affected
* This system is a host running a hypervisor:  NO
* Mitigation 1 (KVM)
  * EPT is disabled:  NO
* Mitigation 2
  * L1D flush is supported by kernel:  YES  (found flush_l1d in kernel image)
  * L1D flush enabled:  NO
  * Hardware-backed L1D flush supported:  NO  (flush will be done in software, this is slower)
  * Hyper-Threading (SMT) is enabled:  NO

> STATUS:  NOT VULNERABLE  (your CPU vendor reported your CPU model as not vulnerable)