Hi,
Notifications have just been sent out letting you know the hour long
maintenance window during which the host that your VPS is on will be
rebooted for security patches.
If you have not received the notification please check your spam
folders etc. and if still having no luck please contact
support(a)bitfolk.com.
Apologies for the short notice of this, but now that I feel I have a
reasonable plan covering a large part of the problem space, it is
best to get this done as soon as possible.
I've deliberately left most of the technical detail out of the
reboot notification. The technical details are overwhelming. If you
aren't a particularly technical person then my advice would be:
- Make sure you are running a security-supported release of your
chosen Linux distribution and that you keep it up to date. Between
them and us you should eventually get to safety, just bear in mind
that this is an evolving situation and not many Linux vendors are
willing to push out the latest fixes without extensive testing.
For those who really want them, here are some more technical details.
The newly-deployed hypervisor will:
- support Page Table Isolation, similar to the Linux kernel's KPTI,
to protect against Meltdown.
This feature will protect BitFolk's hypervisor from Meltdown
attacks from all customers.
At the moment all BitFolk VPSes are paravirtual (PV) guests. For
64-bit VPSes, this Xen-level PTI also protects against Meltdown
attacks from within their own kernel or user space. Thus, although
your kernel will report that KPTI is disabled, you will be
protected by Xen's PTI.
It is thought that 32-bit Xen PV guests could still use Meltdown
on themselves; protecting against this requires use of the KPTI
feature inside the Linux kernel. As far as I am aware 32-bit KPTI
is lagging behind the 64-bit version so those with 32-bit VPSes
may wish to consider switching to a 64-bit kernel or upgrading to
a new VPS, if they can't wait.
- be compiled with gcc's new retpoline feature, which prevents CPUs
from doing insecure branch prediction, therefore protecting you
against variant 2 of Spectre.
This is a complete protection for BitFolk's hypervisor against
Spectre variant 2 attacks from guest kernels. It will not protect
guests from attacks from inside their own VPS. For this you will
need to make sure that your own kernel is compiled with retpoline
support, with a compiler that understands the feature.
I am not aware of the situation in other distributions but as I
type this, Debian has already pushed out a version of gcc that has
the retpoline feature to its stable ("stretch") and oldstable
("jessie") releases. A binary kernel package built with it is not
yet available except in unstable, though.
- have working PVH mode support.
This is another way to run Xen virtual machines. It's
faster/simpler than the PV mode that we currently use, it's also
more secure, and it doesn't require use of qemu like HVM does.
IIRC qemu is about 1.2 million lines of code, many times larger
than Xen itself, and I've always been uncomfortable about it.
Converting you all to PVH mode would provide the best protection
against Meltdown and it would actually be more performant than PV
mode, but sadly it requires some fixes in the guest kernel and in the
bootloader that have only just gone in (like, late 4.14 kernel,
early 4.15). We can't convert people to that mode until Linux
distributions are shipping with new enough kernels, but it will be
useful to have it available for early testing.
- A couple of other unrelated security patches which will come out
of embargo later.
What's yet to come:
- Any sort of mitigation for variant 1 of Spectre.
People are still working on it, both in the Linux kernel, in Xen,
and in other software. It's possible that fixes may only come in
the Linux kernel rather than in Xen.
- Updated Intel microcode.
Intel released some updated microcode which features new CPU
instructions to help avoid these problems, and/or reduce the
performance impact of the techniques used. Shortly after release
amid many reports of system instability they withdrew the update
again, and are not currently recommending its use except for
development purposes.
So, we're still waiting for a stable release of that, and at the
moment it's looking like decent fixes can be done in software so
the urgency of a reboot just for this microcode update is low and
I am inclined to roll it in with the next maintenance. That could
change though.
After the maintenance, what you need to think about:
- If you're 32-bit you need to make a decision about Meltdown,
whether you will wait for a 32-bit kernel fix or look at going to
64-bit by some means.
- The retpoline-compiled hypervisor only protects BitFolk from you. To
protect your own VPS against Spectre variant 2 attacks coming from
within itself (like if it was tricked into running something
malicious) you need a kernel that is compiled with retpoline
support.
These are pretty new, but they are out there. Debian pushed out a
version of gcc with retpoline support to its stable ("stretch")
and oldstable ("jessie") releases recently, but as I write this
the only way to get a binary kernel package that was compiled with
it is to use linux-image-amd64 from the unstable repository.
Presumably that is going to filter through to stable etc in due
course. Until then, you could use the package from unstable, or
use the new gcc package to rebuild a kernel package…
- If you are compiling C/C++ software, do you need to be doing it
with a retpoline-aware compiler?
- Look out for Spectre variant 1 fixes - they may be in your
applications and/or kernel too. Although we can expect more
hypervisor changes, after this (and the microcode) I expect the
bulk of it to be in the kernels and applications.
Solutions that are not being pursued:
- Xen have some other mitigation options. They involve running PV
guests inside either a PVH or HVM container. I've investigated
these and they're just too complicated, they remove some useful
functionality, and they still have performance implications about
the same as XPTI.
Longer term I'd like to be moving guests to PVH mode, and perhaps
optionally HVM. That can't happen in a production capacity until a
person can install a stable release of their favourite Linux and
not have to know what PVH mode is, though.
Regarding <https://github.com/speed47/spectre-meltdown-checker>:
- It will always report that you are running under Xen PV and are
vulnerable to Meltdown. It doesn't do any actual proof of concept
exploit, it just detects PV mode and gives up. Once the new
hypervisor has been deployed 64-bit guests will be protected by
its PTI feature. As mentioned, 32-bit guests will still need to
get PTI from their kernel.
- Its reporting of Spectre variant 2 is accurate, so once you're
running a retpoline-compiled kernel it will detect that.
- Its reporting of microcode and new CPU instructions is, as far as I am
aware, accurate. It is my understanding that once there is new
microcode, guests will see it and be able to use these
instructions. This could change though.
That's all I can think of right now. I appreciate this is a lot to
take in. If you have any questions please ask on or off the list.
Once I get a sense of what is unclear I can perhaps make a wiki
page that helps make things clearer.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
announce mailing list
announce(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/announce