Ubuntu
libvirt package

  1. Bug #1840745
  2. Comment #9

Comment 9 for bug 1840745

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Testing Bionic:

Diff pre/post output:
virsh capabilities:
--- cap.old 2019-09-13 07:47:39.904489440 +0000
+++ cap.new 2019-09-13 07:54:17.141044569 +0000
@@ -26,6 +26,7 @@
       <feature name='perfctr_core'/>
       <feature name='perfctr_nb'/>
       <feature name='invtsc'/>
+ <feature name='amd-ssbd'/>
       <pages unit='KiB' size='4'/>
       <pages unit='KiB' size='2048'/>
       <pages unit='KiB' size='1048576'/>

virsh domcapabilities (
--- dcap.old 2019-09-13 07:47:45.944614794 +0000
+++ dcap.new 2019-09-13 07:54:09.708864451 +0000
@@ -30,6 +30,7 @@
       <feature policy='require' name='topoext'/>
       <feature policy='require' name='perfctr_core'/>
       <feature policy='require' name='invtsc'/>
+ <feature policy='require' name='amd-ssbd'/>
       <feature policy='disable' name='monitor'/>
     </mode>
     <mode name='custom' supported='yes'>

Upgrade:
$ sudo apt install libvirt-daemon-system
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd libvirt0
Suggested packages:
  libvirt-daemon-driver-storage-gluster libvirt-daemon-driver-storage-sheepdog libvirt-daemon-driver-storage-zfs numad radvd auditd systemtap nfs-common zfsutils pm-utils
The following packages will be upgraded:
  libvirt-clients libvirt-daemon libvirt-daemon-driver-storage-rbd libvirt-daemon-system libvirt0
5 upgraded, 0 newly installed, 0 to remove and 14 not upgraded.
Need to get 4116 kB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] Y
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon-driver-storage-rbd amd64 4.0.0-1ubuntu8.13 [15.4 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon-system amd64 4.0.0-1ubuntu8.13 [80.7 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-daemon amd64 4.0.0-1ubuntu8.13 [2176 kB]
Get:4 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt-clients amd64 4.0.0-1ubuntu8.13 [596 kB]
Get:5 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 libvirt0 amd64 4.0.0-1ubuntu8.13 [1248 kB]
Fetched 4116 kB in 1s (4660 kB/s)
Preconfiguring packages ...
(Reading database ... 71127 files and directories currently installed.)
Preparing to unpack .../libvirt-daemon-driver-storage-rbd_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-daemon-system_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon-system (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-daemon_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-daemon (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt-clients_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt-clients (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Preparing to unpack .../libvirt0_4.0.0-1ubuntu8.13_amd64.deb ...
Unpacking libvirt0:amd64 (4.0.0-1ubuntu8.13) over (4.0.0-1ubuntu8.12) ...
Setting up libvirt0:amd64 (4.0.0-1ubuntu8.13) ...
Setting up libvirt-daemon (4.0.0-1ubuntu8.13) ...
Setting up libvirt-clients (4.0.0-1ubuntu8.13) ...
Setting up libvirt-daemon-system (4.0.0-1ubuntu8.13) ...
virtlockd.service is a disabled or a static unit, not starting it.
Setting up libvirt-daemon dnsmasq configuration.
Setting up libvirt-daemon-driver-storage-rbd (4.0.0-1ubuntu8.13) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for libc-bin (2.27-3ubuntu1) ...

I further used the named feature e.g. like:
    <feature policy='disable' name='amd-ssbd'/>
in Guest config and it recognized it into qemu cmdline.
    -cpu EPYC-IBPB,...,amd-ssbd=off

Without the new disabling host-model passes now:
 ...,amd-ssbd=on

The spectre checker finds the difference that the guest now gets the fix we wanted it to have.
--- old.log 2019-09-13 08:01:49.919323740 +0000
+++ new.log 2019-09-13 08:02:45.244000000 +0000
@@ -10 +10 @@
- * SPEC_CTRL MSR is available: NO
+ * SPEC_CTRL MSR is available: YES
@@ -18 +18 @@
- * SPEC_CTRL MSR is available: NO
+ * SPEC_CTRL MSR is available: YES
@@ -22 +22 @@
- * CPU indicates SSBD capability: YES (AMD non-architectural MSR)
+ * CPU indicates SSBD capability: YES (AMD SSBD in SPEC_CTRL)
@@ -77 +77 @@
-* Mitigated according to the /sys interface: NO (Vulnerable)
+* Mitigated according to the /sys interface: YES (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
@@ -79,2 +79,3 @@
-* SSB mitigation is enabled and active: NO
-> STATUS: VULNERABLE (your CPU and kernel both support SSBD but the mitigation is not active)
+* SSB mitigation is enabled and active: YES (per-thread through prctl)
+* SSB mitigation currently active for selected processes: YES (systemd-hostnamed systemd-journald systemd-logind systemd-networkd systemd-resolved systemd-timesyncd systemd-udevd)
+> STATUS: NOT VULNERABLE (Mitigation: Speculative Store Bypass disabled via prctl and seccomp)
@@ -131 +132 @@
-> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:KO CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK
+> SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK CVE-2018-12126:OK CVE-2018-12130:OK CVE-2018-12127:OK CVE-2019-11091:OK

With that confirmed, setting verified