I updated my CentOS 7 system. Why is Meltdown/Spectre only partially mitigated?
Solution 1:
As noted in https://access.redhat.com/articles/3311301
CVE-2017-5715 (variant #2/Spectre) is an indirect branching poisoning attack that can lead to data leakage. This attack allows for a virtualized guest to read memory from the host system. This issue is corrected with microcode, along with kernel and virtualization updates to both guest and host virtualization software. This vulnerability requires both updated microcode and kernel patches. Variant #2 behavior is controlled by the ibrs and ibpb tunables (noibrs/ibrs_enabled and noibpb/ibpb_enabled), which work in conjunction with the microcode
...
As noted, installing the microcode update for your hardware, if provided by the hardware vendor, is necessary to protect against variant 2. Please contact your hardware vendor for microcode updates.
It seems that you also need a BIOS update to enable the mitigations for CVE-2017-5715.
I read this elsewhere too earlier but can't find the reference right now.
Solution 2:
UPDATE: it seems the microcode update released with OS updates are binary patches to the running microcode, rather than full-blown microcode replacement. In other words, they require a specific, base ucode version in the BIOS/processor to be able to patch it. For this reason, on all machines I had at hand a BIOS/firmware update is required, and this very BIOS update already bring the patched microcode embedded. For reference, DELL just released the required firmware update for 14/13/12th generation PowerEdge servers, and fix for 11th generation server will be released by the end of the month.
TL;DR: the microcode updates seem very rushed. I think we must wait some days/weeks to fully understand/discover which processors/steppings/models/SKU will receive the correct update.
Long version: of three updated systems, a single one (the older) correctly loaded the new microcode and enabled the relative mitigations:
- on a Ryzen box the loading failed with a "patch mismatch" error;
- on a Clarkdale (Core i5) laptop, no new microcode was loaded, yet the correct files are installed on
/lib/firmware/
- a very old PhenomII box correctly loaded the new microcode and enabled all appropriate mitigations.
Solution 3:
I've been using the Spectre Meltdown Checker script to get a quick accounting of my physical and virtual systems' status since I'm dealing with a lot of kernel and platform variants.
See: https://github.com/speed47/spectre-meltdown-checker
The output is showing that a BIOS update is needed on hypervisor hosts and bare-metal servers. This is a vendor issue for the systems I deal with. I wouldn't rely on the microcode patches from RHEL/CentOS.