[Whonix-devel] [Oracle VM VirtualBox] #17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed
Oracle VM VirtualBox
trac at virtualbox.org
Thu Sep 13 15:30:39 CEST 2018
#17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being
installed
-----------------------+----------------------------------------------------
Reporter: adrelanos | Type: defect
Status: new | Priority: major
Component: other | Version: VirtualBox 5.2.18
Keywords: | Guest type: Linux
Host type: Linux |
-----------------------+----------------------------------------------------
'''How to reproduce:'''
A host running Debian stretch.
Using VirtualBox version 5.2.18.
A guest running Debian stretch.
Host using stretch-backports with get access to newer microcode. (Old
versions are incapable to show spectre/meltdown fixed.)
spectre-meltdown-checker being installed on host and in guest from
stretch-backports. (Old versions are incapable to show spectre/meltdown
fixed.)
{{{
sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports
main contrib non-free' > /etc/apt/sources.list.d/backports.list"
}}}
{{{
sudo apt-get update
}}}
{{{
sudo apt-get -t stretch-backports install spectre-meltdown-checker
}}}
Suppose microcode being installed.
Intel:
{{{
sudo apt-get -t stretch-backports install intel-microcode
}}}
Amd:
{{{
sudo apt-get -t stretch-backports install amd64-microcode
}}}
Suppose running spectre-meltdown-checker on the host looks fine.
{{{
sudo spectre-meltdown-checker --paranoid ; echo $?
}}}
By fine I mean exit code 0 and not showing "vulnerable".
Suppose using all VirtualBox spectre/meltdown defense options.
{{{
VBoxManage modifyvm vm-name --ibpb-on-vm-entry on
}}}
{{{
VBoxManage modifyvm vm-name --ibpb-on-vm-exit on
}}}
{{{
VBoxManage modifyvm vm-name --spec-ctrl on
}}}
{{{
VBoxManage modifyvm vm-name --l1d-flush-on-sched off
}}}
(These options were introduced in VirtualBox version 5.2.18.)
'''Expected result:'''
spectre-meltdown-checker in guest VM saying "all fine".
{{{
sudo spectre-meltdown-checker --paranoid ; echo $?
}}}
By fine I mean exit code 0 and not showing "vulnerable".
'''Actual result:'''
spectre-meltdown-checker reporting vulnerable.
'''Questions:'''
Can you reproduce the same issue?
Were all necessary steps performed to protect the guest from
spectre/meltdown?
Is this a VirtualBox issue or false-positive in spectre-meltdown-checker?
([https://forums.virtualbox.org/viewtopic.php?f=7&t=89395 Previously
posted in VirtualBox forum].)
--
Ticket URL: <https://www.virtualbox.org/ticket/17987>
Oracle VM VirtualBox <https://www.virtualbox.org/>
More information about the Whonix-devel
mailing list