How do I enable Meltdown/Spectre mitigations in my virtualised machines ?

Updated -

There are a number of steps that need to be performed and checked to allow guest machines to correctly mitigate and detect Meltdown/Spectre fixes.

  • Host needs to have updated kernel and CPU microcode
  • Host needs to have updated virtualization software
  • Hypervisor needs to propagate new CPU features correctly
  • Guest needs to have updated kernel

Examining each of these in more detail.

Host needs to have updated kernel and CPU microcode

CPU microcode

The Spectre#2 issue can only be mitigated by updated microcode.

Updated microcode/firmware must be obtained from your hardware vendor

Why isn't Red Hat shipping updated microcode ?

Whilst Red Hat currently ship microcode bundles (for X86 variations these are in the microcode_ctl and linux-firmware packages) the actual fixes can only come from the processor manufacturers. Unfortunately we have no control of the timing or release order of these updates. In illustration, the microcode_ctl package contains 90 different microcode variations for Intel CPUs alone. As can be appreciated, fixing all variations in one release would delay any release procedure. Intel appear to have decided on multiple updates, focusing on newest processors first. Hardware manufacturers are incorporating these into per-machine/family firmware updates, again typically focussing on more recent machines first.

Updated Host Kernel

On RHEL/RHEV this means updating the kernel packages as listed in the advisories of the "Resolve" tab of the main Meltdown/Spectre article.

Host needs to have updated virtualization software

On RHEL/RHEV this means updating the libvirt and qemu-kvm packages as listed in the advisories of the "Resolve" tab of the main Meltdown/Spectre article.

Hypervisor needs to propagate new CPU features correctly

For RHEL/KVM this entails choosing a suitable CPU type for the guest that has the flags.

For RHV please see the article How to patch my RHV environment for Meltdown and Spectre CVE( CVE-2017-5754, CVE-2017-5753, and CVE-2017-5715)?

For VMware ESX please refer to the VMware article

Hypervisor-Assisted Guest Mitigation for branch target injection

Guest needs to have updated kernel

On RHEL this means updating the kernel packages as listed in the advisories of the "Resolve" tab of the main Meltdown/Spectre article.

Comments