New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Older distros still get security patches typically, as long as they are not EOL status.
Don't think RHEL has a Kernel fix for this as yet only posted a mitigation for RHEL8 according to https://access.redhat.com/solutions/retbleed
If you are a provider, you can set mitigations=off on the HV and let your customers set their own
IBRS mitigations. No reason why a node should suffer from the patches, assuming you don't have
shared guests on the hypervisor, in most cases (unless OpenVZ) you won't. Some people run OpenBSD, which won't affect them as guest because of other mitigations. So no need to slow them
down because of HV patches. IMO.
This sounds like an interesting way to get involucrated
Care to explain? Or at least a way to show how guests will be affected.
Virtualisation is not a boundary without these mitigations in place. If the node has no mitigations, an unscrupulous customer can escape their VM and gain root access on the host node
KVM is a distinct boundary for retbleed, and I haven't seen any research that shows being able to leak data across hypervisor exit and reentry.
OpenVZ / LXC isn't a boundary.
However, any attempt to exploit retbleed requires hours of sustained high CPU activity - which would already be disruptive.
And none of the speculative execution bugs will give 'root access' to the hostnode.
Speculative Execution only allows reading data through careful timing measurements.
SSH Private Keys are generally not in kernel memory, so retbleed can't directly get at it.
Agree but my point was in relation to
mitigations=off
That's fair, the speculative execution bug would be just one part of a chain to get to the point of root access on the host or another guest. Being able to read arbitrary memory is already bad enough