OpenStack Security Notes

Advice on spectre/meltdown and how to mitigate performance impacts

Bug #1776755 reported by Nick Tait on 2018-06-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Security Notes	New	Undecided	Unassigned

Bug Description

This bug is the result of discussions by the Security SIG. High level overview is here https://ttx.re/openstack-spectre-meltdown-faq.html

A few questions to answer:
1) What is the scope of this documentation activity? Does it include all Spectre and Meltdown vulnerabilities? As far as I can tell out of the eight spectre-ng (https://thehackernews.com/2018/05/intel-spectre-vulnerability.html) vulns, only two are publicly documented:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3640
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639

2) What is the status of mitigations in OpenStack? CPU manufacturers have not yet completed all remediation, so I believe it is not possible for performance mitigations in OpenStack to be complete. These patches are related (https://review.openstack.org/#/q/I72085016c8756ff88a4da722368f62359bcd7080) but are there others which have already been completed?

3) Can we offer any advice to operators on how to prepare for potential future discoveries in this space?

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.