From 04b869370369ca1398d24d18c15f2e1b516620a8 Mon Sep 17 00:00:00 2001 From: Stephen Finucane Date: Tue, 23 Mar 2021 11:06:23 +0000 Subject: [PATCH] docs: Fold in MDS security flaw doc There's no real need for this to exist as its own standalone document now that we have a separate CPU models doc. Combine them. Change-Id: I3a3e19b1f2660dd773fd3d47332abadc0c0e5c55 Signed-off-by: Stephen Finucane --- doc/source/_extra/.htaccess | 1 + doc/source/admin/cpu-models.rst | 127 +++++++++++++++++ doc/source/admin/index.rst | 1 - ...itigation-for-Intel-MDS-security-flaws.rst | 128 ------------------ doc/source/admin/security.rst | 3 +- doc/test/redirect-tests.txt | 1 + 6 files changed, 130 insertions(+), 131 deletions(-) delete mode 100644 doc/source/admin/mitigation-for-Intel-MDS-security-flaws.rst diff --git a/doc/source/_extra/.htaccess b/doc/source/_extra/.htaccess index 07e56bb782a2..3f4995840e96 100644 --- a/doc/source/_extra/.htaccess +++ b/doc/source/_extra/.htaccess @@ -77,3 +77,4 @@ redirectmatch 301 ^/nova/([^/]+)/admin/adv-config.html$ /nova/$1/admin/index.htm redirectmatch 301 ^/nova/([^/]+)/admin/system-admin.html$ /nova/$1/admin/index.html redirectmatch 301 ^/nova/([^/]+)/admin/port_with_resource_request.html$ /nova/$1/admin/ports-with-resource-requests.html redirectmatch 301 ^/nova/([^/]+)/admin/manage-users.html$ /nova/$1/admin/arch.html +redirectmatch 301 ^/nova/([^/]+)/admin/mitigation-for-Intel-MDS-security-flaws.html /nova/$1/admin/cpu-models.html diff --git a/doc/source/admin/cpu-models.rst b/doc/source/admin/cpu-models.rst index 68680dd84749..06ffdb61b660 100644 --- a/doc/source/admin/cpu-models.rst +++ b/doc/source/admin/cpu-models.rst @@ -191,3 +191,130 @@ example: As ``Haswell`` is the first CPU model supporting both of these CPU features, the instance would be configured with this model. + +.. _mitigation-for-Intel-MDS-security-flaws: + +Mitigation for MDS ("Microarchitectural Data Sampling") Security Flaws +---------------------------------------------------------------------- + +In May 2019, four new microprocessor flaws, known as `MDS`__ and also referred +to as `RIDL and Fallout`__ or `ZombieLoad`__, were discovered. +These flaws affect unpatched Nova compute nodes and instances running on Intel +x86_64 CPUs. + +.. __: https://access.redhat.com/security/vulnerabilities/mds +.. __: https://mdsattacks.com/ +.. __: https://zombieloadattack.com + +Resolution +~~~~~~~~~~ + +To get mitigation for the said MDS security flaws, a new CPU flag, +``md-clear``, needs to be exposed to the Nova instances. This can be done as +follows. + +#. Update the following components to the versions from your Linux + distribution that have fixes for the MDS flaws, on all compute nodes + with Intel x86_64 CPUs: + + - ``microcode_ctl`` + - ``kernel`` + - ``qemu-system-x86`` + - ``libvirt`` + +#. When using the libvirt driver, ensure that the CPU flag ``md-clear`` + is exposed to the Nova instances. This can be done in one of three ways, + depending on your configured CPU mode: + + #. :oslo.config:option:`libvirt.cpu_mode`\ =host-model + + When using the ``host-model`` CPU mode, the ``md-clear`` CPU flag + will be passed through to the Nova guests automatically. + + This mode is the default, when + :oslo.config:option:`libvirt.virt_type`\ =kvm|qemu is set in + ``/etc/nova/nova-cpu.conf`` on compute nodes. + + #. :oslo.config:option:`libvirt.cpu_mode`\ =host-passthrough + + When using the ``host-passthrough`` CPU mode, the ``md-clear`` CPU + flag will be passed through to the Nova guests automatically. + + #. :oslo.config:option:`libvirt.cpu_mode`\ =custom + + When using the ``custom`` CPU mode, you must *explicitly* enable the + CPU flag ``md-clear`` to the Nova instances, in addition to the + flags required for previous vulnerabilities, using the + :oslo.config:option:`libvirt.cpu_model_extra_flags`. For example: + + .. code-block:: ini + + [libvirt] + cpu_mode = custom + cpu_models = IvyBridge + cpu_model_extra_flags = spec-ctrl,ssbd,md-clear + +#. Reboot the compute node for the fixes to take effect. + + To minimize workload downtime, you may wish to live migrate all guests to + another compute node first. + +Once the above steps have been taken on every vulnerable compute node in the +deployment, each running guest in the cluster must be fully powered down, and +cold-booted (i.e. an explicit stop followed by a start), in order to activate +the new CPU models. This can be done by the guest administrators at a time of +their choosing. + +Validation +~~~~~~~~~~ + +After applying relevant updates, administrators can check the kernel's +``sysfs`` interface to see what mitigation is in place, by running the +following command on the host: + +.. code-block:: bash + + # cat /sys/devices/system/cpu/vulnerabilities/mds + Mitigation: Clear CPU buffers; SMT vulnerable + +To unpack the message "Mitigation: Clear CPU buffers; SMT vulnerable": + +- ``Mitigation: Clear CPU buffers`` means you have the "CPU buffer clearing" + mitigation enabled, which is mechanism to invoke a flush of various + exploitable CPU buffers by invoking a CPU instruction called "VERW". + +- ``SMT vulnerable`` means, depending on your workload, you may still be + vulnerable to SMT-related problems. You need to evaluate whether your + workloads need SMT (also called "Hyper-Threading") to be disabled or not. + Refer to the guidance from your Linux distribution and processor vendor. + +To see the other possible values for +``/sys/devices/system/cpu/vulnerabilities/mds``, refer to the `MDS system +information`__ section in Linux kernel's documentation for MDS. + +On the host, validate that KVM is capable of exposing the ``md-clear`` flag to +guests: + +.. code-block:: bash + + # virsh domcapabilities kvm | grep md-clear + + +More information can be found on the 'Diagnosis' tab of `this security notice +document`__. + +.. __: https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mds-system-information +.. __: https://access.redhat.com/security/vulnerabilities/mds + +Performance Impact +~~~~~~~~~~~~~~~~~~ + +Refer to this section titled "Performance Impact and Disabling MDS" from +`this security notice document`__, under the *Resolve* tab. + +.. note:: + + Although the article referred to is from Red Hat, the findings and + recommendations about performance impact apply for other distributions also. + +.. __: https://access.redhat.com/security/vulnerabilities/mds diff --git a/doc/source/admin/index.rst b/doc/source/admin/index.rst index ef7fb902a8db..39dc76ace7d5 100644 --- a/doc/source/admin/index.rst +++ b/doc/source/admin/index.rst @@ -151,6 +151,5 @@ Additional guides ssh-configuration support-compute secure-live-migration-with-qemu-native-tls - mitigation-for-Intel-MDS-security-flaws vendordata hw-machine-type diff --git a/doc/source/admin/mitigation-for-Intel-MDS-security-flaws.rst b/doc/source/admin/mitigation-for-Intel-MDS-security-flaws.rst deleted file mode 100644 index b5454e8ba30a..000000000000 --- a/doc/source/admin/mitigation-for-Intel-MDS-security-flaws.rst +++ /dev/null @@ -1,128 +0,0 @@ -====================================================================== -Mitigation for MDS ("Microarchitectural Data Sampling") Security Flaws -====================================================================== - -Issue -~~~~~ - -In May 2019, four new microprocessor flaws, known as `MDS -`_ , have been -discovered. These flaws affect unpatched Nova compute nodes and -instances running on Intel x86_64 CPUs. (The said MDS security flaws -are also referred to as `RIDL and Fallout `_ or -`ZombieLoad `_). - - -Resolution -~~~~~~~~~~ - -To get mitigation for the said MDS security flaws, a new CPU flag, -`md-clear`, needs to be exposed to the Nova instances. It can be done -as follows. - -(1) Update the following components to the versions from your Linux - distribution that have fixes for the MDS flaws, on all compute nodes - with Intel x86_64 CPUs: - - - microcode_ctl - - kernel - - qemu-system-x86 - - libvirt - -(2) When using the libvirt driver, ensure that the CPU flag ``md-clear`` - is exposed to the Nova instances. It can be done so in one of the - three following ways, given that Nova supports three distinct CPU - modes: - - a. :oslo.config:option:`libvirt.cpu_mode`\ =host-model - - When using ``host-model`` CPU mode, the ``md-clear`` CPU flag - will be passed through to the Nova guests automatically. - - This mode is the default, when - :oslo.config:option:`libvirt.virt_type`\ =kvm|qemu is set in - ``/etc/nova/nova-cpu.conf`` on compute nodes. - - b. :oslo.config:option:`libvirt.cpu_mode`\ =host-passthrough - - When using ``host-passthrough`` CPU mode, the ``md-clear`` CPU - flag will be passed through to the Nova guests automatically. - - c. Specific custom CPU models — this can be enabled using the - Nova config attributes :oslo.config:option:`libvirt.cpu_mode`\ =custom - plus particular named CPU models, e.g. - :oslo.config:option:`libvirt.cpu_models`\ =IvyBridge. - - (The list of all valid named CPU models that are supported by - your host, QEMU, and libvirt can be found by running the - command ``virsh domcapabilities``.) - - When using a custom CPU mode, you must *explicitly* enable the - CPU flag ``md-clear`` to the Nova instances, in addition to the - flags required for previous vulnerabilities, using the - :oslo.config:option:`libvirt.cpu_model_extra_flags`. E.g.:: - - [libvirt] - cpu_mode = custom - cpu_models = IvyBridge - cpu_model_extra_flags = spec-ctrl,ssbd,md-clear - -(3) Reboot the compute node for the fixes to take effect. (To minimize - workload downtime, you may wish to live migrate all guests to - another compute node first.) - -Once the above steps have been taken on every vulnerable compute -node in the deployment, each running guest in the cluster must be -fully powered down, and cold-booted (i.e. an explicit stop followed -by a start), in order to activate the new CPU models. This can be done -by the guest administrators at a time of their choosing. - - -Validate that the fixes are in effect -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -After applying relevant updates, administrators can check the kernel's -"sysfs" interface to see what mitigation is in place, by running the -following command (on the host):: - - # cat /sys/devices/system/cpu/vulnerabilities/mds - Mitigation: Clear CPU buffers; SMT vulnerable - -To unpack the message "Mitigation: Clear CPU buffers; SMT vulnerable": - -- The ``Mitigation: Clear CPU buffers`` bit means, you have the "CPU - buffer clearing" mitigation enabled (which is mechanism to invoke a - flush of various exploitable CPU buffers by invoking a CPU - instruction called "VERW"). - -- The ``SMT vulnerable`` bit means, depending on your workload, you may - still be vulnerable to SMT-related problems. You need to evaluate - whether your workloads need SMT (also called "Hyper-Threading") to - be disabled or not. Refer to the guidance from your Linux - distribution and processor vendor. - -To see the other possible values for the sysfs file, -``/sys/devices/system/cpu/vulnerabilities/mds``, refer to the `MDS -system information -`_ -section in Linux kernel's documentation for MDS. - -On the host, validate that KVM is capable of exposing the ``md-clear`` -flag to guests:: - - # virsh domcapabilities kvm | grep md-clear - - -Also, refer to the 'Diagnosis' tab in this security notice document -`here `_ - - -Performance Impact -~~~~~~~~~~~~~~~~~~ - -Refer to this section titled "Performance Impact and Disabling MDS" from -the security notice document `here -`_, under the -'Resolve' tab. (Note that although the article referred to is from Red -Hat, the findings and recommendations about performance impact apply -for other distributions as well.) diff --git a/doc/source/admin/security.rst b/doc/source/admin/security.rst index a7300f8eef86..5743023e7395 100644 --- a/doc/source/admin/security.rst +++ b/doc/source/admin/security.rst @@ -56,5 +56,4 @@ Mitigation for MDS (Microarchitectural Data Sampling) security flaws It is strongly recommended to patch all compute nodes and nova instances against the processor-related security flaws, such as MDS (and other previous vulnerabilities). For details on applying mitigation for the -MDS flaws, refer to the :doc:`mitigation-for-Intel-MDS-security-flaws` -document. +MDS flaws, refer to :ref:`mitigation-for-Intel-MDS-security-flaws`. diff --git a/doc/test/redirect-tests.txt b/doc/test/redirect-tests.txt index 283c9731e340..6731ceb7f570 100644 --- a/doc/test/redirect-tests.txt +++ b/doc/test/redirect-tests.txt @@ -77,3 +77,4 @@ /nova/latest/admin/system-admin.html 301 /nova/latest/admin/index.html /nova/latest/admin/port_with_resource_request.html 301 /nova/latest/admin/ports-with-resource-requests.html /nova/latest/admin/manage-users.html 301 /nova/latest/admin/arch.html +/nova/latest/admin/mitigation-for-Intel-MDS-security-flaws.html 301 /nova/latest/admin/cpu-models.html