Backport spectre/meltdown fixes on qemu for ppc64 into 16.04 and possibly 14.04 LTS releases

Bug #1765364 reported by bugproxy on 2018-04-19
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Ubuntu-power-systems project
Critical
Canonical Security Team
Ubuntu-14.04
Critical
Unassigned
Ubuntu-16.04
Critical
Marc Deslauriers
qemu (Ubuntu)
Critical
Unassigned
Xenial
Critical
Unassigned

Bug Description

== Comment: #0 - Satheesh Rajendran <email address hidden> - 2018-04-19 04:26:51 ==
---Problem Description---
Backport spectre/meltdown fixes on qemu for ppc64 into all LTS releases

Contact Information = <email address hidden>

---uname output---
-

Machine Type = power8,power9

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 For pseries guests there are 3 tri-state -machine options/capabilities relating to Spectre/Meltdown mitigation: cap-cfpc, cap-sbbc, cap-ibs, which each correspond to a set of host machine capabilities advertised by the KVM kernel module in new/patched host kernels that can be used to mitigate various aspects of Spectre/Meltdown:

cap-cfpc: Cache Flush on Privilege Change
cap-sbbc: Speculation Barrier Bounds Checking
cap-ibs: Indirect Branch Serialisation

Details can be found here https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/

Needed qemu commits:

cb931c2108 target/ppc: Check mask when setting cap_ppc_safe_indirect_branch
4f5b039d2b ppc/spapr-caps: Disallow setting workaround for spapr-cap-ibs
8c5909c419 ppc/spapr-caps: Change migration macro to take full spapr-cap name
c59704b254 target/ppc/spapr: Add H-Call H_GET_CPU_CHARACTERISTICS
4be8d4e7d9 target/ppc/spapr_caps: Add new tristate cap safe_indirect_branch
09114fd817 target/ppc/spapr_caps: Add new tristate cap safe_bounds_check
8f38eaf8f9 target/ppc/spapr_caps: Add new tristate cap safe_cache
6898aed77f target/ppc/spapr_caps: Add support for tristate spapr_capabilities
8acc2ae5e9 target/ppc/kvm: Add cap_ppc_safe_[cache/bounds_check/indirect_branch]

Optional commits to introduce a machine type variant pseries-<release>-sxxm, when used would set/enable the three machine capabilities explained above automatically, if host is capable(host kernel is supported). Bug 166426
813f3cf655 ppc/spapr-caps: Define the pseries-2.12-sxxm machine type
c76c0d3090 ppc/spapr-caps: Convert cap-ibs to custom spapr-cap
aaf265ffde ppc/spapr-caps: Convert cap-sbbc to custom spapr-cap
f27aa81e72 ppc/spapr-caps: Convert cap-cfpc to custom spapr-cap
87175d1bc5 ppc/spapr-caps: Add support for custom spapr_capabilities

Userspace tool common name: qemu-kvm

The userspace tool has the following bit modes: both

Userspace rpm: qemu-kvm

Userspace tool obtained from project website: na

*Additional Instructions for <email address hidden>:
-Attach ltrace and strace of userspace application.

bugproxy (bugproxy) on 2018-04-19
tags: added: architecture-ppc64le bugnameltc-166958 severity-critical targetmilestone-inin---
Changed in ubuntu:
assignee: nobody → Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage)
affects: ubuntu → qemu (Ubuntu)
Changed in ubuntu-power-systems:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
tags: added: triage-g

Hi,
thanks for breaking this out of bug 1761372 (which was about the new machine type in 18.04).

I personally Nack the backport of the machine type changes, but the last call will be the Security Team. Thank you a lot for listing them split.

Also the security Team likely has the best overview of the progress of the related kernel patches.
If you have the list at hand (or a bug where they were processed) it would be surely a great help to list the reference here as well.

Assigning to mdeslaur for initial triage by Server team.

Changed in qemu (Ubuntu):
assignee: Ubuntu on IBM Power Systems Bug Triage (ubuntu-power-triage) → Marc Deslauriers (mdeslaur)

s/Server team/Security team/ in the last sentence

Changed in ubuntu-power-systems:
assignee: Canonical Kernel Team (canonical-kernel-team) → Canonical Security Team (canonical-security)
Manoj Iyer (manjo) on 2018-04-23
Changed in qemu (Ubuntu):
importance: Undecided → Critical
information type: Public → Public Security
summary: - Backport spectre/meltdown fixes on qemu for ppc64 into all LTS releases
+ Backport spectre/meltdown fixes on qemu for ppc64 into 16.04 and
+ possibly 14.04 LTS releases
Manoj Iyer (manjo) on 2018-06-11
tags: added: triage-a
removed: triage-g
Emily Ratliff (emilyr) wrote :

This is a tricky backport. Would IBM be able to help with this backport?

------- Comment From <email address hidden> 2018-06-18 23:22 EDT-------
Is a list of the relevant kernel patches still required for this bug?

What help is required for this backport?

Andrew Cloke (andrew-cloke) wrote :

From discussions with Emily, I believe the Security team are looking for a complete backport that cleanly applies to the qemu versions in 14.04 and 16.04.

Emily, please correct me if I've got this wrong.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-07-17 15:43 EDT-------
Each company might be waiting on each other for this one.
To clarify: Is Canonical's request for IBM to provide complete backports for qemu in versions 14.04 and 16.04, supplemental information to the qemu commit list provided earlier, or something else?
Thanks.

Frank Heimes (frank-heimes) wrote :

Yes, the Security team asked for doing the complete backports, that can then be applied to qemu-kvm 14.04 and 16.04.

Changed in ubuntu-power-systems:
status: Triaged → Incomplete
Changed in ubuntu-power-systems:
assignee: Canonical Security Team (canonical-security) → nobody
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-07-23 01:57 EDT-------
Happy to do the backport.
But can someone point me to where I can find the relevant ubuntu qemu trees the patches need to apply to?

Dimitri John Ledkov (xnox) wrote :

git clone https://git.launchpad.net/ubuntu/+source/qemu

Should give you all ubuntu releases of qemu for all series, with distro-patches applied and without.

I think the best starting points for you to use would be on top of origin/applied/ubuntu/bionic-devel and on top of origin/applied/ubuntu/xenial-devel.

If you can produce a `$ git format-patch` patch series that apply cleanly on top of those trees, it should be sufficiently easy enough for server team to integrate.

Note I don't think the above git tree shares a common history with upstream qemu repository, however, cherrypicking commit ranges should still work correctly.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-07-30 22:03 EDT-------
Taking a look at bionic-devel, it looks like all the relevant patches have already been backported as of 13 Jun.

commit 88bd38f84c0ec61729f2502cc87613186e36da81
Author: Christian Ehrhardt <email address hidden>
Date: Wed Jun 13 10:41:34 2018 +0200

[PATCH] ppc/spapr-caps: Define the pseries-2.12-sxxm machine type
Gbp-Pq: ubuntu/lp-1761372-7-ppc-spapr-caps-Define-the-pseries-2.12-sxxm-machine-.patch.

I will prepare a patch set for the xenial-devel branch.

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-08-01 02:08 EDT-------
Patches backported to xenial-devel and pushed here:
https://github.com/sjitindarsingh/qemu/tree/ubuntu-xenial-devel

Dimitri John Ledkov (xnox) wrote :

marking qemu package tasks to affect xenial series only then.

Changed in qemu (Ubuntu):
status: New → Fix Released
Changed in qemu (Ubuntu Xenial):
importance: Undecided → Critical
Changed in qemu (Ubuntu):
assignee: Marc Deslauriers (mdeslaur) → nobody
Marc Deslauriers (mdeslaur) wrote :

Thanks for the backported commits. I have prepared a test package that includes them in the following PPA:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Please confirm it works properly on the relevant hardware, and I will include the fixes in the next round of qemu security updates.

Thanks!

Manoj Iyer (manjo) on 2018-08-06
Changed in ubuntu-power-systems:
status: Incomplete → In Progress
Marc Deslauriers (mdeslaur) wrote :

Hi,

Has someone from IBM had a chance to try the test package listed in comment #13?

Thanks!

Manoj Iyer (manjo) on 2018-08-15
Changed in ubuntu-power-systems:
assignee: nobody → Canonical Security Team (canonical-security)
Marc Deslauriers (mdeslaur) wrote :

ping?

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-09-21 14:06 EDT-------
(In reply to comment #25)
> ping?

Hitting and blocked with installation failure for Trusty , https://bugs.launchpad.net/ubuntu/+source/grub2/+bug/1792948/comments/3.

Pls suggest in case of any alternative ways to test.

Thanks in advance.

Regards,
-Satheesh

Marc Deslauriers (mdeslaur) wrote :

The test package is for Xenial, not for Trusty. Does that installation failure affect Xenial also?

bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2018-09-25 13:55 EDT-------
(In reply to comment #27)
> The test package is for Xenial, not for Trusty. Does that installation
> failure affect Xenial also?

my bad, mistaken it for Trusty.

Xenial installation has no issues, and tested the qemu package with below level

HW: Power8
FW: latest contains spectre/meltdown fixes(FW860.60 (SV860_174) (b))
# cd /sys/firmware/devicetree/base/ibm,opal/fw-features
# ls -1 */enabled
fw-branch-hints-honored/enabled
fw-count-cache-disabled/enabled
inst-l1d-flush-ori30,30,0/enabled
inst-spec-barrier-ori31,31,0/enabled
needs-l1d-flush-msr-hv-1-to-0/enabled
needs-l1d-flush-msr-pr-0-to-1/enabled
needs-spec-barrier-for-bound-checks/enabled
speculation-policy-favor-security/enabled
tm-suspend-mode/enabled

Host Kernel: 4.15.0-34-generic

qemu:
ri qemu-system-ppc 1:2.5+dfsg-5ubuntu10.32~test1 ppc64el QEMU full system emulation binaries (ppc)
ii qemu-kvm 1:2.5+dfsg-5ubuntu10.32~test1 ppc64el QEMU Full virtualization

guest: ubuntu18.10(4.17.0-9-generic)

# kvm -M pseries,cap-sbbc=workaround,cap-cfpc=workaround -smp 4 -m 8192 -serial mon:stdio -enable-kvm -vga none -nographic ~/ubuntu1810-ppc64le.qcow2
qemu-system-ppc64: Requested safe cache capability level not supported by kvm, try cap-cfpc=broken

#
looks like some patches missing backport?

probably below patch?, not sure though

https://github.com/qemu/qemu/commit/b2540203bdf4a390c3489146eae82ce237303653#diff-b0796c6a577709f249c7c5d96b9ea049

@Suraj,
Could you pls help here, thanks in advance.

Regards,
-Satheesh.

Andrew Cloke (andrew-cloke) wrote :

Marking as incomplete while IBM confirms whether an additional qemu patch is required.

Changed in ubuntu-power-systems:
status: In Progress → Incomplete
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers