[Whonix-devel] [Oracle VM VirtualBox] #17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed

• Previous message (by thread): [Whonix-devel] [Tor Bug Tracker & Wiki] Batch modify: #26181, #4522, #9460, #9461, ...
• Next message (by thread): [Whonix-devel] [Oracle VM VirtualBox] #17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

#17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being
installed
-----------------------+----------------------------------------------------
 Reporter:  adrelanos  |         Type:  defect           
   Status:  new        |     Priority:  major            
Component:  other      |      Version:  VirtualBox 5.2.18
 Keywords:             |   Guest type:  Linux            
Host type:  Linux      |  
-----------------------+----------------------------------------------------
 '''How to reproduce:'''

 A host running Debian stretch.
 Using VirtualBox version 5.2.18.
 A guest running Debian stretch.

 Host using stretch-backports with get access to newer microcode. (Old
 versions are incapable to show spectre/meltdown fixed.)

 spectre-meltdown-checker being installed on host and in guest from
 stretch-backports. (Old versions are incapable to show spectre/meltdown
 fixed.)

 {{{
 sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports
 main contrib non-free' > /etc/apt/sources.list.d/backports.list"
 }}}
 {{{
 sudo apt-get update
 }}}
 {{{
 sudo apt-get -t stretch-backports install spectre-meltdown-checker
 }}}

 Suppose microcode being installed.

 Intel:

 {{{
 sudo apt-get -t stretch-backports install intel-microcode
 }}}

 Amd:

 {{{
 sudo apt-get -t stretch-backports install amd64-microcode
 }}}

 Suppose running spectre-meltdown-checker on the host looks fine.

 {{{
 sudo spectre-meltdown-checker --paranoid ; echo $?
 }}}

 By fine I mean exit code 0 and not showing "vulnerable".

 Suppose using all VirtualBox spectre/meltdown defense options.

 {{{
 VBoxManage modifyvm vm-name --ibpb-on-vm-entry on
 }}}
 {{{
 VBoxManage modifyvm vm-name --ibpb-on-vm-exit on
 }}}
 {{{
 VBoxManage modifyvm vm-name --spec-ctrl on
 }}}
 {{{
 VBoxManage modifyvm vm-name --l1d-flush-on-sched off
 }}}

 (These options were introduced in VirtualBox version 5.2.18.)

 '''Expected result:'''

 spectre-meltdown-checker in guest VM saying "all fine".

 {{{
 sudo spectre-meltdown-checker --paranoid ; echo $?
 }}}

 By fine I mean exit code 0 and not showing "vulnerable".

 '''Actual result:'''

 spectre-meltdown-checker reporting vulnerable.

 '''Questions:'''

 Can you reproduce the same issue?

 Were all necessary steps performed to protect the guest from
 spectre/meltdown?

 Is this a VirtualBox issue or false-positive in spectre-meltdown-checker?

 ([https://forums.virtualbox.org/viewtopic.php?f=7&t=89395 Previously
 posted in VirtualBox forum].)

-- 
Ticket URL: <https://www.virtualbox.org/ticket/17987>
Oracle VM VirtualBox <https://www.virtualbox.org/>

• Previous message (by thread): [Whonix-devel] [Tor Bug Tracker & Wiki] Batch modify: #26181, #4522, #9460, #9461, ...
• Next message (by thread): [Whonix-devel] [Oracle VM VirtualBox] #17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]