补丁对应的问题背景
Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to cross the syscall and guest/host boundaries and read privileged memory by conducting targeted cache side-channel attacks.
Variant CVE-2017-5754 relies on the fact that, on impacted microprocessors, during speculative execution of instruction permission faults, exception generation triggered by a faulting access is suppressed until the retirement of the whole instruction block.
检测脚本
https://access.redhat.com/labs/speculativeexecution/
打补丁对系统的影响
影响系统性能
Red Hat has made updated kernels available to address these security vulnerabilities. These patches are enabled by default because Red Hat prioritizes out of the box security. Speculative execution is a performance optimization technique which these updates change (both kernel and microcode) and may result in workload-specific performance degradation.
如何禁用
CentOS8禁用
1.解决方案
Is there kernel parameter to control the optional mitigations for CPU vulnerabilities that is architecture independent?
文章提到,到了CentOS8.2后增加了一个叫mitigations的字段
8.1 release and 8.2 release
2.检查内核版本是否支持
# 以4.18.0-240为例
rpm -q --changelog kernel-4.18.0-240.el8.x86_64 | grep mitigations=
# 结果,说明支持这个选型
- [arm64] arm64/speculation: Support 'mitigations=' cmdline option (Jeremy Linton) [1640855]
- [x86] x86/speculation/mds: Add 'mitigations=' support for MDS (Waiman Long) [1713695 1690360 1690351 1690338] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
- [s390] s390/speculation: Support 'mitigations=' cmdline option (Waiman Long) [1713695 1690360 1690351 1690338] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
- [powerpc] powerpc/speculation: Support 'mitigations=' cmdline option (Waiman Long) [1713695 1690360 1690351 1690338] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
- [mm] x86/speculation: Support 'mitigations=' cmdline option (Waiman Long) [1713695 1690360 1690351 1690338] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
- [kernel] cpu/speculation: Add 'mitigations=' cmdline option (Waiman Long) [1713695 1690360 1690351 1690338] {CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091}
3.设置
sudo vim /etc/default/grub
# 在GRUB_CMDLINE_LINUX=增加
mitigations=off
# 生产文件
sudo grub2-mkconfig -o /boot/grub2/grub.cfg
# 重启系统生效
sudo systemctl reboot
4.验证是否生效
cat /sys/devices/system/cpu/vulnerabilities/meltdown
cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
默认(未修改前)
修改后
vulnerable代表没有打补丁,容易受攻击
5.没有生效的问题
部分IntelCPU因为硬件上已经解决了该问题,因此我们打mitigations=off并没有出现预期的vulnerable,详细情况请参考Inter官网
Affected Processors: Transient Execution Attacks & Related Security Issues by CPU