FYI: Spectre and Qemu/KVM

[Sascha Lucas]

Hi,

for those, who are not fully aware of the current solution to mitigate
Spectre: According to[1] you have to pass the spec-ctrl cpu feature flag
explicitly to the qemu command line. This can be accomplished with the KVM
hypervisor parameter cpu_type:

gnt-cluster modify -H kvm:cpu_type='qemu64\,+spec-ctrl'

In order to take effect, you have to restart all instances via Ganeti (not
from inside the VM). And, of course, your nodes need actual microcode :-).

Thanks, Sascha.

[1] https://www.qemu.org/2018/02/14/qemu-2-11-1-and-spectre-update/

[Ansgar Jazdzewski]

Nice work, thanks

Ansgar

[micah anderson]

Hi,

Sascha Lucas <sascha...@gisa.de> writes:

> Hi,
>
> for those, who are not fully aware of the current solution to mitigate
> Spectre: According to[1] you have to pass the spec-ctrl cpu feature flag
> explicitly to the qemu command line. This can be accomplished with the KVM
> hypervisor parameter cpu_type:
>
> gnt-cluster modify -H kvm:cpu_type='qemu64\,+spec-ctrl'
>
> In order to take effect, you have to restart all instances via Ganeti (not
> from inside the VM). And, of course, your nodes need actual microcode :-).

Is there something like the 'pcid' flag for qemu? On a 'real' CPU, if
you have that flag on the CPU, then the spectre mitigations can be a lot
less costly.

Thanks!

--
micah

[Sascha Lucas]

Hi Micah,

on Mon, 14 May 2018 22:04:03 +0200 micah anderson wrote:

> Is there something like the 'pcid' flag for qemu? On a 'real' CPU, if
> you have that flag on the CPU, then the spectre mitigations can be a lot
> less costly.

I think PCID/INVPCID is supported, but not with the qemu64 cpu model. You
have to use an IBRS-cpu-variant supporting PCID/INVPCID, i.e.

cpu_type=Haswell-IBRS

This implies the +spec-ctrl flag. See also "qemu-system-x86_64 -cpu ?".

Thanks, Sascha.

[sascha...@web.de]

Hi *,

just a follow up on this topic:
* one can test for mitigations with [1]
* with current ubuntu 16.04 the node side seems fine (I assume the same for
currently patched debian-9)
* the instance side (Qemu/KVM) is a bit worse:

According to [2] there are some pitfalls:
* the ancient and default CPU model qemu64 might mislead a guest kernel, to
think that no mitigations are needed
* the pcid feature is only enabled on Haswell an newer (for older CPUs it
must be turned on explicitly)
* the ssbd feature (Variant 4) is disabled on all cpu types

The oldest CPU in my cluster is ivy-bridge. So I run:

gnt-cluster modify -H kvm:cpu_type='IvyBridge-IBRS\,+pcid\,+ssbd'

Thanks, Sascha.

[1] https://github.com/speed47/spectre-meltdown-checker
[2] https://www.berrange.com/posts/2018/06/29/cpu-model-configuration-for-qemu-kvm-on-x86-hosts/

[sascha...@web.de]

am Di, 09 Okt 2018 11:26:57 +0200 schrieb sascha...@web.de:

> The oldest CPU in my cluster is ivy-bridge. So I run:
>
> gnt-cluster modify -H kvm:cpu_type='IvyBridge-IBRS\,+pcid\,+ssbd'

there is a simple command (cpu feature "check"), where one can test, whether
the whole cluster supports a certain cpu model/flag:

gnt-cluster command 'qemu-system-x86_64 -cpu Haswell-IBRS,+pcid,+ssbd,check -machine accel=kvm -nodefaults -kernel /dev/null 2>&1 | grep -v "could not load kernel"'

The output will identify my ivy-bridge node an reports, that some cpu
features compared to haswell are missing:

node: ivy.domain.tld
warning: host doesn't support requested feature: CPUID.01H:ECX.fma [bit 12]
warning: host doesn't support requested feature: CPUID.01H:ECX.movbe [bit 22]
warning: host doesn't support requested feature: CPUID.07H:EBX.bmi1 [bit 3]
warning: host doesn't support requested feature: CPUID.07H:EBX.hle [bit 4]
warning: host doesn't support requested feature: CPUID.07H:EBX.avx2 [bit 5]
warning: host doesn't support requested feature: CPUID.07H:EBX.bmi2 [bit 8]
warning: host doesn't support requested feature: CPUID.07H:EBX.invpcid [bit 10]
warning: host doesn't support requested feature: CPUID.07H:EBX.rtm [bit 11]
warning: host doesn't support requested feature: CPUID.80000001H:ECX.abm [bit 5]

Thanks, Sascha.