[Hyper-V] Enable CONFIG_HOTPLUG_CPU in linux-azure
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux-azure (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
Marcelo Cerri | ||
Cosmic |
Fix Released
|
Undecided
|
Marcelo Cerri | ||
Disco |
Fix Released
|
Undecided
|
Marcelo Cerri |
Bug Description
We requested that CONFIG_HOTPLUG_CPU be disabled in bug 1776293. However, due to a recently discovered security issue, CONFIG_HOTPLUG_CPU needs to be re-enabled.
There are some patches on LKML to address this security issue, but they are not in the Azure kernel yet, and may not be accepted upstream in their current form. If your interested, those two patches are available here:
https:/
https:/
https:/
To mitigate this security issue, the nosmt option needs to be passed on the boot line. However, the nosmt option will not work if CONFIG_HOTPLUG_CPU is disabled, which is the primary reason it needs to be turned back on at this time.
information type: | Private Security → Public |
Hey there, Joe! I'd like to make sure that I understand the problem a little better:
* You say that there's a security issue mitigated by "nosmt" HOTPLUG_ CPU=n
- This is true, for example, with L1TF's impact on KVM (CVE-2018-3646) when SMT is in use
* You also linked to patches that fix a boot crash when "nosmt" is used when CONFIG_
- You said that those patches address "this security issue" but I think that may be incorrect and
the source of my confusion
The above is a little confusing because I don't think those patches address a security issue. IIUC, they fix a boot crash. "nosmt" is what mitigates the security issue.
Please confirm that you'd like us to enable CONFIG_HOTPLUG_CPU until we can pull in the above patches that fix the boot crash when "nosmt" is used with CONFIG_ HOTPLUG_ CPU=n. Once we pull in those patches, you'd like us to disable CONFIG_HOTPLUG_CPU once again.