|
| 1 | +====================================================================== |
| 2 | +Mitigation for MDS ("Microarchitectural Data Sampling") Security Flaws |
| 3 | +====================================================================== |
| 4 | + |
| 5 | +Issue |
| 6 | +~~~~~ |
| 7 | + |
| 8 | +In May 2019, four new microprocessor flaws, known as `MDS |
| 9 | +<https://access.redhat.com/security/vulnerabilities/mds>`_ , have been |
| 10 | +discovered. These flaws affect unpatched Nova compute nodes and |
| 11 | +instances running on Intel x86_64 CPUs. (The said MDS security flaws |
| 12 | +are also referred to as `RIDL and Fallout <https://mdsattacks.com/>`_ or |
| 13 | +`ZombieLoad <https://zombieloadattack.com>`_). |
| 14 | + |
| 15 | + |
| 16 | +Resolution |
| 17 | +~~~~~~~~~~ |
| 18 | + |
| 19 | +To get mitigation for the said MDS security flaws, a new CPU flag, |
| 20 | +`md-clear`, needs to be exposed to the Nova instances. It can be done |
| 21 | +as follows. |
| 22 | + |
| 23 | +(1) Update the following components to the versions from your Linux |
| 24 | + distribution that have fixes for the MDS flaws, on all compute nodes |
| 25 | + with Intel x86_64 CPUs: |
| 26 | + |
| 27 | + - microcode_ctl |
| 28 | + - kernel |
| 29 | + - qemu-system-x86 |
| 30 | + - libvirt |
| 31 | + |
| 32 | +(2) When using the libvirt driver, ensure that the CPU flag ``md-clear`` |
| 33 | + is exposed to the Nova instances. It can be done so in one of the |
| 34 | + three following ways, given that Nova supports three distinct CPU |
| 35 | + modes: |
| 36 | + |
| 37 | + a. ``[libvirt]/cpu_mode = host-model`` |
| 38 | + |
| 39 | + When using ``host-model`` CPU mode, the ``md-clear`` CPU flag |
| 40 | + will be passed through to the Nova guests automatically. |
| 41 | + |
| 42 | + This mode is the default, when ``virt_type=kvm|qemu`` is |
| 43 | + set in ``/etc/nova/nova-cpu.conf`` on compute nodes. |
| 44 | + |
| 45 | + b. ``[libvirt]/cpu_mode = host-passthrough`` |
| 46 | + |
| 47 | + When using ``host-passthrough`` CPU mode, the ``md-clear`` CPU |
| 48 | + flag will be passed through to the Nova guests automatically. |
| 49 | + |
| 50 | + c. A specific custom CPU model — this can be enabled using the |
| 51 | + Nova config attributes: ``[libvirt]/cpu_mode = custom`` plus a |
| 52 | + particular named CPU model, e.g. ``[libvirt]/cpu_model = |
| 53 | + IvyBridge`` |
| 54 | + |
| 55 | + (The list of all valid named CPU models that are supported by |
| 56 | + your host, QEMU, and libvirt can be found by running the |
| 57 | + command ``virsh domcapabilities``.) |
| 58 | + |
| 59 | + When using a custom CPU mode, you must *explicitly* enable the |
| 60 | + CPU flag ``md-clear`` to the Nova instances, in addition to the |
| 61 | + flags required for previous vulnerabilities, using the |
| 62 | + ``cpu_model_extra_flags``. E.g.:: |
| 63 | + |
| 64 | + [libvirt] |
| 65 | + cpu_mode = custom |
| 66 | + cpu_model = IvyBridge |
| 67 | + cpu_model_extra_flags = spec-ctrl,ssbd,md-clear |
| 68 | + |
| 69 | +(3) Reboot the compute node for the fixes to take effect. (To minimize |
| 70 | + workload downtime, you may wish to live migrate all guests to |
| 71 | + another compute node first.) |
| 72 | + |
| 73 | +Once the above steps have been taken on every vulnerable compute |
| 74 | +node in the deployment, each running guest in the cluster must be |
| 75 | +fully powered down, and cold-booted (i.e. an explicit stop followed |
| 76 | +by a start), in order to activate the new CPU model. This can be done |
| 77 | +by the guest administrators at a time of their choosing. |
| 78 | + |
| 79 | + |
| 80 | +Validate that the fixes are in effect |
| 81 | +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 82 | + |
| 83 | +After applying relevant updates, administrators can check the kernel's |
| 84 | +"sysfs" interface to see what mitigation is in place, by running the |
| 85 | +following command (on the host):: |
| 86 | + |
| 87 | + # cat /sys/devices/system/cpu/vulnerabilities/mds |
| 88 | + Mitigation: Clear CPU buffers; SMT vulnerable |
| 89 | + |
| 90 | +To unpack the message "Mitigation: Clear CPU buffers; SMT vulnerable": |
| 91 | + |
| 92 | + - The ``Mitigation: Clear CPU buffers`` bit means, you have the "CPU |
| 93 | + buffer clearing" mitigation enabled (which is mechanism to invoke a |
| 94 | + flush of various exploitable CPU buffers by invoking a CPU |
| 95 | + instruction called "VERW"). |
| 96 | + |
| 97 | + - The ``SMT vulnerable`` bit means, depending on your workload, you may |
| 98 | + still be vulnerable to SMT-related problems. You need to evaluate |
| 99 | + whether your workloads need SMT (also called "Hyper-Threading") to |
| 100 | + be disabled or not. Refer to the guidance from your Linux |
| 101 | + distribution and processor vendor. |
| 102 | + |
| 103 | +To see the other possible values for the sysfs file, |
| 104 | +``/sys/devices/system/cpu/vulnerabilities/mds``, refer to the `MDS |
| 105 | +system information |
| 106 | +<https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mds-system-information>`_ |
| 107 | +section in Linux kernel's documentation for MDS. |
| 108 | + |
| 109 | +On the host, validate that KVM is capable of exposing the ``md-clear`` |
| 110 | +flag to guests:: |
| 111 | + |
| 112 | + # virsh domcapabilities kvm | grep md-clear |
| 113 | + <feature policy='require' name='md-clear'/> |
| 114 | + |
| 115 | +Also, refer to the 'Diagnosis' tab in this security notice document |
| 116 | +`here <https://access.redhat.com/security/vulnerabilities/mds>`_ |
| 117 | + |
| 118 | + |
| 119 | +Performance Impact |
| 120 | +~~~~~~~~~~~~~~~~~~ |
| 121 | + |
| 122 | +Refer to this section titled "Performance Impact and Disabling MDS" from |
| 123 | +the security notice document `here |
| 124 | +<https://access.redhat.com/security/vulnerabilities/mds>`_, under the |
| 125 | +'Resolve' tab. (Note that although the article referred to is from Red |
| 126 | +Hat, the findings and recommendations about performance impact apply |
| 127 | +for other distributions as well.) |
0 commit comments