OS-7125: Need mitigation of L1TF (CVE-2018-3646)

Details

Issue Type:Bug
Priority:4 - Normal
Status:Resolved
Created at:2018-08-14T18:06:36.402Z
Updated at:2019-09-04T12:09:24.911Z

People

Created by:John Levon [X]
Reported by:John Levon [X]
Assigned to:John Levon [X]

Resolution

Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2018-08-14T21:40:45.221Z)

Fix Versions

2018-08-16 Yuffie's House (Release Date: 2018-08-16)

Related Issues

Related Links

Description

We need mitigation for the VMM variant of L1TF.

Comments

Comment by John Levon [X]
Created at 2018-08-14T19:13:53.637Z

These bits have been tested with KVM and bhyve, on a two-socket system as well as sanity checked under VMWare.

A boot with HT disabled in the BIOS was done to confirm it falls back correctly.

Various different stress tests were done:

In addition a range of tests was done by Angela, Max and co, including cassandra-test runs, as covered in QA-285.


Comment by John Levon [X]
Created at 2018-08-14T19:16:36.170Z

I forgot to mention the most important test: I ran my L1TF proof of concept (basically, force a host process to share a core with a malicious guest that is executing a modified meltdown code to peek at a given physical address) with HT exclusion enabled. In various different configurations, exclusion prevented the exploit from working.


Comment by Jira Bot
Created at 2018-08-14T21:20:19.702Z

illumos-joyent commit 4f3af6ac0e7bc423c116341136c1757ff948a506 (branch master, by John Levon)

OS-7125 Need mitigation of L1TF (CVE-2018-3646)
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>


Comment by Jira Bot
Created at 2018-08-14T21:20:34.683Z

illumos-kvm commit e05dd9f674b33879dce5db3fe3187092b4a0e24e (branch master, by John Levon)

OS-7125 Need mitigation of L1TF (CVE-2018-3646)
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>


Comment by Jira Bot
Created at 2018-08-15T02:08:34.977Z

illumos-kvm commit 2ceb2a6fd7934a9d62d0101939efc728e3c27528 (branch release-20180802, by John Levon)

OS-7125 Need mitigation of L1TF (CVE-2018-3646)
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>


Comment by Jira Bot
Created at 2018-08-15T02:08:37.148Z

illumos-joyent commit 89d0fffcadbabb8694d3ce87b5be826e2b789c99 (branch release-20180802, by John Levon)

OS-7125 Need mitigation of L1TF (CVE-2018-3646)
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Robert Mustacchi <rm@joyent.com>