Respond to Meltdown and Spectre

From Xen
Revision as of 11:52, 5 January 2018 by Dunlapg (talk | contribs) (General introduction)

This page is meant to collect practical advice about responding to XSA-254 (also known as the 'Meltdown' and 'Spectre' vulnerabilities).

General introduction

XSA-254 covers information attacks that can leak information in modern superscalar processors. There are three different 'variants', dubbed SP1, SP2, and SP3. SP3 is also known as 'Meltdown', and only affects Intel processors. SP1 and SP2 are known as 'Spectre', and affect all modern superscalar processors (including ARM, AMD, and Intel).

SP1 and SP2 are difficult to exploit. SP3 is trivially easy to exploit.

There are two factors to consider when securing a system against these:

  • Protecting Xen against untrusted guests
  • Protecting guest kernels against guest userspace

Only Intel processors are impacted by SP3. On Intel processors, only 64-bit PV mode guests can attack Xen. Guests running in 32-bit PV mode, HVM mode, and PVH mode cannot attack the hypervisor using SP3. However, in 32-bit PV mode, HVM mode, and PVH mode, guest userspaces can attack guest kernels using SP3; so updating guest kernels is advisable.

Guest kernels running in 64-bit PV mode are not vulnerable to attack using SP3, because 64-bit PV guests already run in a KPTI-like mode.

Concrete actions

Migrate all untrusted VMs to run in HVM or PVH mode

Most modern kernels can run either in PV or HVM mode. There may be practical other changes which need to take place to convert a PV image into an HVM image; specific examples are listed below.

If you have a PVH-capable hypervisor (Xen 4.10) and a PVH-capable kernel (Linux 4.11), then booting in PVH mode should require the least number of changes.

Another option that will be available soon is "PV Shim" mode. In this mode, a PV guest boots inside a PVH container, with a "shim" hypervisor providing a binary-compatible PV interface. Patches implementing this should be available for Xen versions 4.10, 4.9. and 4.8 in the near future.

Apply all updates to domU kernels as soon as possible

Updates protecting Windows from SP3 are already available. Updates to Linux should be coming through your distribution channels soon.

Minimize dom0's vulnerability to attack

Currently it is only possible to run domain 0 in PV mode. In this mode, the hypervisor can be attacked on Intel processors using SP3, even from user mode.

However, an attacker that can run arbitrary code in domain 0 already has a number of other ways to gain control of the hypervisor. So it is always best practice to minimize the number of services running in domain 0, to reduce the attack surface.

Be ready to apply SP2 patches when they become available

Patches to mitigate SP2 will be available for Xen in the near future. Be ready to apply these once they are available.

Guest kernels should have patches for SP2 available in the near future as well. Be looking

Technical issues upgrading from PV to PVH

Non-partitioned disks

Partitioned disks without an MBR or suitable /boot

Switching from a PV console to an HVM console