Announcement

Collapse
No announcement yet.

KVM Virtualization Adds Protections For Spectre-V1/L1TF Combination Attack

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • KVM Virtualization Adds Protections For Spectre-V1/L1TF Combination Attack

    Phoronix: KVM Virtualization Adds Protections For Spectre-V1/L1TF Combination Attack

    Following the Xen hypervisor in mitigating against a possible Spectre Variant One and L1 Terminal Fault combination attack, the Kernel-based Virtual Machine (KVM) has added its own protections with the Linux 5.6 kernel on top of all the other mitigations they've had to endure as a result of CPU vulnerabilities over the past two years...

    http://www.phoronix.com/scan.php?pag...-V1-L1TF-Combo

  • #2
    In my home network, how likely is it that I will fall for Spectre attacks if I have one of the following:

    Desktop: AMD Kaveri A8-7600, Arch Linux
    Server: AMD Ryzen 3 2200G, Debian Unstable

    For my desktop and server, I keep both of them updated from time to time and I've never been hit with any attacks from the outside. Plus, I'm running pfSense 2.4.4 in a KVM virtual machine. For my desktop, I do have NoScript for Firefox and I really do not go to shady sites. I also use Enpass password manager with unique passwords, but I figured that has nothing to do with Spectre.

    Also, I have a couple of devices that are in a different subnet, especially Wemo Mr. Coffee Maker which belongs in my 172.20.10.x/24 subnet and my computer and smartphone is in 172.20.1.0/26.

    Should I really care about enabling Spectre mitigations in my desktop and server?

    Comment


    • #3
      Originally posted by GraysonPeddie View Post
      In my home network, how likely is it that I will fall for Spectre attacks if I have one of the following:

      Should I really care about enabling Spectre mitigations in my desktop and server?
      No, not if you're the only person using your desktop and server. These new KVM mitigations are for vulnerabilities that does not affect AMD. It's probably aimed at data centres and cloud providers with potentially hostile users that have root access to the virtual machines.

      Most popular software have been updated to make speculative attacks much more difficult. AFIAK it's mostly choosing algorithms that takes less time to execute (like ed25519) and increasing execution and time measurement latency in sandboxes like javascript interpreter in your web browser. It sucks that everyone is paying the price for a few companies that messed up and even worse that people are still buying brand new CPUs with known vulnerabilities or in the case of Raspberry Pi moving from CPUs that are not vulnerable (Pi 1-3) to CPUs that are vulnerable (Pi 4). Based on your hardware and software configurations, my guess is that you have less chances of getting hacked from Spectre attacks than any other attack.

      I really hope these mitigations in KVM is only applied to CPUs with these vulnerabilities. I'll probably have to read the code or ask Sean C. but probably won't do either.

      Comment


      • #4
        Thanks Jabberwocky. I do have KVM running in my server for virtual machines and I don't see myself needing any mitigations. I did add a kvmusers user and assign a libvirt group to that user and run VMs from there. I do have privileged Linux containers (LXC), although I don't stand a chance of having my Linux containers hacked since I keep security in mind when configuring services such as Postfix mail server and NextCloud in my server.

        Plus, I'm the only one in my network.
        Last edited by GraysonPeddie; 01-31-2020, 10:29 AM.

        Comment


        • #5
          Seriously Intel should compensate the Linux Kernel developers for all the extra work they've made them do for all these mitigations !!!

          Comment

          Working...
          X