Mitigations for CPU vulnerabilities - dcasota/photonos-scripts GitHub Wiki

Since CPU security disasters the last few years, it is well-known that most CPU products are vulnerable to design flaws. The safest possible settings for security on CPUs is providing actual microcode/ucode updates. However the OS kernel developers do not preset the safest mitigations by default. This OS hardening aspect remains an admin duty.

With each newer kernel version developers added boot parameters covering specific mitigations control, see full documentation on Kernel parameters.

On Photon OS they are added to systemd cmdline in /boot/grub/grub.cfg.

Here a short overview of safer parameters to be fully mitigated but with less performance.

mitigations=auto,nosmt (Equivalent to: l1tf=flush,nosmt mds=full,nosmt tsx_async_abort=full,nosmt)
spectre_v2=auto
spectre_v2_user=auto
spec_store_bypass_disable=on
pti=auto

The set has been tested on Photon OS 4.0 on an exposed Azure CPU Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz. lscpu is used as information source about CPU vulnerabilities.

Architecture:                    x86_64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
Address sizes:                   46 bits physical, 48 bits virtual
CPU(s):                          1
On-line CPU(s) list:             0
Thread(s) per core:              1
Core(s) per socket:              1
Socket(s):                       1
NUMA node(s):                    1
Vendor ID:                       GenuineIntel
CPU family:                      6
Model:                           85
Model name:                      Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz
Stepping:                        4
CPU MHz:                         2095.080
BogoMIPS:                        4190.16
Hypervisor vendor:               Microsoft
Virtualization type:             full
L1d cache:                       32 KiB
L1i cache:                       32 KiB
L2 cache:                        1 MiB
L3 cache:                        35.8 MiB
NUMA node0 CPU(s):               0
Vulnerability Itlb multihit:     KVM: Mitigation: VMX unsupported
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT Host state unknown
Flags:                           fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid pni pclmulqdq ssse3 fma cx16 pcid sse4
                                 _1 sse4_2 movbe popcnt aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch invpcid_single pti fsgsbase bmi1 hle avx2 smep bmi2 erms invpcid rtm mpx avx512f avx512dq rdseed adx smap clflushopt avx512cd
                                  avx512bw avx512vl xsaveopt xsavec xsaves md_clear

Let's add the security parameters, and reboot.

cp /boot/grub/grub.cfg /boot/grub/grub.org
sed "s/linux \/boot\/\$photon_linux root=\$rootpartition init=\/lib\/systemd\/systemd loglevel=3 ro console=tty1 console=ttyS0,115200n8 earlyprintk=ttyS0,115200 fsck.repair=yes rootdelay=300/linux \/boot\/\$photon_linux root=\$rootpartition init=\/lib\/systemd\/systemd loglevel=3 ro console=ttyS0,115200n8 console=tty1 console=ttyS0 earlyprintk=ttyS0 fsck.repair=yes rootdelay=300 mitigations=auto,nosmt spectre_v2=auto spectre_v2_user=auto pti=auto/" /boot/grub/grub.org > /boot/grub/grub.cfg

The lscpuoutput shows no difference.

[...]
Vulnerability Itlb multihit:     KVM: Mitigation: VMX unsupported
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Mitigation; Clear CPU buffers; SMT Host state unknown
Vulnerability Meltdown:          Mitigation; PTI
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Mitigation; usercopy/swapgs barriers and __user pointer sanitization
Vulnerability Spectre v2:        Mitigation; Full generic retpoline, STIBP disabled, RSB filling
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Mitigation; Clear CPU buffers; SMT Host state unknown

Let's switch all security parameters to off. Now each vulnerability status has been refreshed.

[...]
Vulnerability Itlb multihit:     KVM: Mitigation: VMX unsupported
Vulnerability L1tf:              Mitigation; PTE Inversion
Vulnerability Mds:               Vulnerable; SMT Host state unknown
Vulnerability Meltdown:          Vulnerable
Vulnerability Spec store bypass: Vulnerable
Vulnerability Spectre v1:        Vulnerable: __user pointer sanitization and usercopy barriers only; no swapgs barriers
Vulnerability Spectre v2:        Vulnerable, STIBP: disabled
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Vulnerable

The vulnerability 'Spec store bypass' hasn't changed. Let's double check.

cat /proc/self/status | grep "vulnerable"
Speculation_Store_Bypass:       vulnerable

Tested with the additional security parameters spec_store_bypass_disable=on but no luck. This security parameter seems to have actually no impact.

The tests on Photon OS 4.0 on an Intel CPU clearly show that all known mitigations of CPU vulnerabilities are implemented with safe preset so that there is no hardening necessary from users' side. The control of the mitigation spec_store_bypass_disable doesn't seem to work correctly and should be adressed.