Issue Type: | Improvement |
---|---|
Priority: | 4 - Normal |
Status: | Resolved |
Created at: | 2019-05-16T18:37:56.192Z |
Updated at: | 2019-05-22T18:42:59.200Z |
Created by: | Former user |
---|---|
Reported by: | Former user |
Assigned to: | Former user |
Fixed: A fix for this issue is checked into the tree and tested.
(Resolution Date: 2019-05-17T19:12:21.109Z)
2019-05-23 Spaceman (Release Date: 2019-05-23)
With the disclosure of the MDS Intel vulnerability, bhyve should expose the MD_CLEAR capability so that guests can use it for mitigating data leakage across privilege domains.
To test this change, I booted up a vulnerable (Ivy Bridge) machine on the new PI (which also features the ucode that enables MD_CLEAR
). I checked that a Linux bhyve guest reported having the md_clear
feature in its /proc/cpuinfo
.
After updating a Windows guest, I used the steps detailed at the end of this KB to check that it too detected the MDS vulnerability and MD_CLEAR
availability:
https://support.microsoft.com/en-us/help/4072698/windows-server-speculative-execution-side-channel-vulnerabilities-prot
Install the PowerShell Module: PS> Install-Module SpeculationControl Run the PowerShell module to verify that protections are enabled: PS> # Save the current execution policy so it can be reset PS> $SaveExecutionPolicy = Get-ExecutionPolicy PS> Set-ExecutionPolicy RemoteSigned -Scope Currentuser PS> Import-Module SpeculationControl PS> Get-SpeculationControlSettings PS> # Reset the execution policy to the original state PS> Set-ExecutionPolicy $SaveExecutionPolicy -Scope Currentuser
illumos-joyent commit 8bab6c89a8b6b113b13e1cca5a6dc469de70ef77 (branch master, by Patrick Mooney)
OS-7801 bhyve should expose MD_CLEAR capability
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Jerry Jelinek <jerry.jelinek@joyent.com>
Approved by: Jerry Jelinek <jerry.jelinek@joyent.com>