From nobody Sat Feb 7 08:44:34 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1569588771; cv=none; d=zoho.com; s=zohoarc; b=BbpFhN9O/ZehNJBp/2CU6Td0m2qFxLD+qYkjLVGZhspR4Zu9EJhflDt1uboTHbWFp1L7zLfafYlg/zxXsREUq8RQIxjp4R2/pPCqHY7w4eveDGqh2Ot2I8xIlC+nYMN8LeyTwZ84OrVV23B3Bz7PxxxjdO8cD/IO0Cf2CPUtvtQ= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1569588771; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=pc/QKUPJTfSUzsHnl3RAAN5Bm/KlteKaXS2C/y+j8hw=; b=gYZVYYJgomH9hfucOQPhiDD+FMEqHRohnP3mgS7+Hcd7zv6q4DbsRvhsZxW0CnHJwaxT3BypVzDxuam0h8UfgYi3iy3tsVC69xTPBbNzvbqNwHJ2SzMjeEb7LfYot1OeNybNgqtKJ3u0LyRDCX+/vyUjwHi5e1CzNJZLIrdx5Cg= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1569588771535131.69437717458527; Fri, 27 Sep 2019 05:52:51 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 7EA2A796EB; Fri, 27 Sep 2019 12:52:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 589EC100EBDA; Fri, 27 Sep 2019 12:52:49 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 13074180BA9A; Fri, 27 Sep 2019 12:52:49 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x8RCqa80002585 for ; Fri, 27 Sep 2019 08:52:36 -0400 Received: by smtp.corp.redhat.com (Postfix) id 9AF231001B07; Fri, 27 Sep 2019 12:52:36 +0000 (UTC) Received: from domokun.gsslab.fab.redhat.com (dhcp-94.gsslab.fab.redhat.com [10.33.9.94]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0F14F1001B08; Fri, 27 Sep 2019 12:52:35 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Fri, 27 Sep 2019 13:52:25 +0100 Message-Id: <20190927125225.22432-7-berrange@redhat.com> In-Reply-To: <20190927125225.22432-1-berrange@redhat.com> References: <20190927125225.22432-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 6/6] tools: make virt-host-validate check CPU vulnerabilities X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Fri, 27 Sep 2019 12:52:50 +0000 (UTC) Add a check reporting if any CPU vulnerabilities have not been mitigated by the kernel. It further reports whether it is safe to use Intel SMT for KVM guests or not, as several of the vulnerabilities are dangerous when combined with SMT and KVM, even if mitigations are in effect. eg on a host with mitigations, but unsafe SMT still enabled: Checking CPU hardware vulnerability mitigation...PASS Checking CPU hardware vulnerability SMT safety...FAIL Signed-off-by: Daniel P. Berrang=C3=A9 --- libvirt.spec.in | 1 + tools/Makefile.am | 1 + .../rules/linux-cpu-hardware-flaws.yaml | 165 ++++++++++++++++++ 3 files changed, 167 insertions(+) create mode 100644 tools/host-validate/rules/linux-cpu-hardware-flaws.yaml diff --git a/libvirt.spec.in b/libvirt.spec.in index f336296a08..8aa226798a 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -1901,6 +1901,7 @@ exit 0 %{_datadir}/libvirt/host-validate/linux-acpi.yaml %{_datadir}/libvirt/host-validate/linux-cgroups.yaml %{_datadir}/libvirt/host-validate/linux-cpu.yaml +%{_datadir}/libvirt/host-validate/linux-cpu-hardware-flaws.yaml %{_datadir}/libvirt/host-validate/linux-devices.yaml %{_datadir}/libvirt/host-validate/linux-iommu.yaml %{_datadir}/libvirt/host-validate/linux-namespaces.yaml diff --git a/tools/Makefile.am b/tools/Makefile.am index 728de475a2..907b0195c2 100644 --- a/tools/Makefile.am +++ b/tools/Makefile.am @@ -173,6 +173,7 @@ virt_host_validate_rules_DATA =3D \ $(srcdir)/host-validate/rules/linux-acpi.yaml \ $(srcdir)/host-validate/rules/linux-cgroups.yaml \ $(srcdir)/host-validate/rules/linux-cpu.yaml \ + $(srcdir)/host-validate/rules/linux-cpu-hardware-flaws.yaml \ $(srcdir)/host-validate/rules/linux-devices.yaml \ $(srcdir)/host-validate/rules/linux-iommu.yaml \ $(srcdir)/host-validate/rules/linux-namespaces.yaml \ diff --git a/tools/host-validate/rules/linux-cpu-hardware-flaws.yaml b/tool= s/host-validate/rules/linux-cpu-hardware-flaws.yaml new file mode 100644 index 0000000000..6a243df96d --- /dev/null +++ b/tools/host-validate/rules/linux-cpu-hardware-flaws.yaml @@ -0,0 +1,165 @@ +# +# Define facts related to CPU hardware vulnerabilities +# + +facts: +- name: cpu.vulnerability.meltdown + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/meltdown + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.spectre_v1 + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/spectre_v1 + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.spectre_v2 + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/spectre_v2 + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.spec_store_bypass + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/spec_store_bypass + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.mds + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/mds + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.mds_smt + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/mds + ignoreMissing: true + parse: + scalar: + regex: SMT (\w+) + match: 1 +- name: cpu.vulnerability.l1tf + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/l1tf + ignoreMissing: true + parse: + scalar: + regex: (\w+) + match: 1 +- name: cpu.vulnerability.l1tf_smt + filter: + fact: + name: os.kernel + value: Linux + value: + file: + path: /sys/devices/system/cpu/vulnerabilities/l1tf + ignoreMissing: true + parse: + scalar: + regex: SMT (\w+) + match: 1 +- name: cpu.vulnerability.unsafe + filter: + fact: + name: os.kernel + value: Linux + report: + message: CPU hardware vulnerability mitigation + pass: false + value: + bool: + any: + expressions: + - fact: + name: cpu.vulnerability.meltdown + value: Vulnerable + - fact: + name: cpu.vulnerability.spectre_v1 + value: Vulnerable + - fact: + name: cpu.vulnerability.spectre_v2 + value: Vulnerable + - fact: + name: cpu.vulnerability.spec_store_bypass + value: Vulnerable + - fact: + name: cpu.vulnerability.mds + value: Vulnerable + - fact: + name: cpu.vulnerability.l1tf + value: Vulnerable +- name: cpu.vulnerability.unsafe_smt + filter: + all: + expressions: + - fact: + name: os.kernel + value: Linux + - fact: + name: cpu.vendor.intel + value: "true" + - fact: + name: cpu.virt.present + value: "true" + report: + message: CPU hardware vulnerability SMT safety + pass: false + value: + bool: + any: + expressions: + - fact: + name: cpu.vulnerability.mds_smt + value: vulnerable + - fact: + name: cpu.vulnerability.l1tf_smt + value: vulnerable --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list