Opened 5 years ago
Closed 3 years ago
#18690 closed enhancement (duplicate)
Feature flags for optimal mitigation of Meltdown and Spectre variants are not exposed to guests
Reported by: | kerframil | Owned by: | |
---|---|---|---|
Component: | other | Version: | VirtualBox 6.0.8 |
Keywords: | meltdown spectre l1tf mds retpoline | Cc: | |
Guest type: | Windows | Host type: | Linux |
Description
In the course of hardening a Windows 10 guest, I found that Microsoft's Get-SpeculationControlSettings command, as provided by the SpeculationControl PowerShell module, reports CVE-2017-5175 as not being mitigated, owing to a lack of hardware support. Additionally, it reports CVE-2018-3639 as not having any hardware support. These are the lines from the report that indicate so:-
Speculation control settings for CVE-2017-5715 [branch target injection] Hardware support for branch target injection mitigation is present: False Windows OS support for branch target injection mitigation is disabled by absence of hardware support: True Speculation control settings for CVE-2018-3639 [speculative store bypass] Hardware support for speculative store bypass disable is present: False
My understanding is that Windows needs support for IBRS and/or IBPB to mitigate CVE-2017-5715, and that it needs support for SSBD to mitigate CVE-2018-3639. The host does have these features, however:-
$ egrep -o 'ibpb|ibrs|invpcid|pcid|ssbd|stibp' /proc/cpuinfo | sort -u ibpb ibrs pcid ssbd stibp
I then booted a Linux guest and confirmed that none of the above five flags are shown as being supported in the guest context. Similarly, Mark Russinovich's CoreInfo utility reports some of the flags as missing in Windows.
This has additional implications. For example, PCID and/or INVPCID may be used to reduce the extent of the TLB flushing that is caused by mitigating CVE-2017-5754 (Meltdown). I understand that Windows requires both of these flags to be present before it will consider any such optimisation. In that case, while my host CPU doesn't have INVPCID support, that PCID isn't being exposed does not bode well.
Further, the absence of the flags pertaining to Branch Target Injection makes it impossible to enable retpoline support in Windows 10. The ability to use retpolines was introduced by the following update:-
https://support.microsoft.com/en-us/help/4482887/windows-10-update-kb4482887
Qemu/KVM can expose the appropriate flags by specifying -cpu host or by explicitly activating any flags known to be supported by the host (+pcid, +spec-ctrl, +ssbd, +stibp etc), with the guest OS reacting accordingly and being able to employ best-in-class mitigations, with the minimal possible impact upon performance.
In summary, would it be possible for VirtualBox to expose the relevant flags to a guest, and in such a way that it would benefit from them?
Change History (3)
comment:2 by , 4 years ago
The mitigation for the Spectre/Meltdown issues documented in CVE-2017-5715 can be passed through to VirtualBox guests using VBoxManage:
VBoxManage modifyvm <VM name> --spec-ctrl on
This is documented in the VirtualBox manual:
https://www.virtualbox.org/manual/ch08.html
--spec-ctrl on|off: Enables and disables the exposure of speculation
control interfaces to the guest, provided they are available on the host. Depending on the host CPU and workload, enabling speculation control may significantly reduce performance.
and is available in VirtualBox 5.2.32 and later, 6.0.0 and later, and 6.1.0 and later.
The changes required for passing through the Speculative Store Bypass (SSB) (CVE-2018-3639) mitigations to VirtualBox guests have not been implemented yet.
comment:3 by , 3 years ago
Resolution: | → duplicate |
---|---|
Status: | new → closed |
Closing as a duplicate of pre-existing ticket #17987.
Can't imagine why vbox devs ignoring this for so long. It was implemented in qemu/libvirt within first weeks after CPU firmware was updated.