You are not logged in.
- Topics: Active | Unanswered
#1 2022-03-08 10:43:52
- Ridwan Rawriet
- Member
- Registered: 2021-09-28
- Posts: 33
[SOLVED] Itlb multihit & more.What problem will I face using KVM+QEMU?
These are the 3 vulnerabilities lscpu outputs that seems to be related to virtualization.
Itlb multihit: KVM: Mitigation: VMX disabled
L1tf: Mitigation; PTE Inversion; VMX conditional cache flushes, SMT vulnerable
Mds: Mitigation; Clear CPU buffers; SMT vulnerableWhat features will I miss out on despite having hardware support to run KVM/QEMU safely? I mean it seems that to mitigate those vulnerabilities some features are disabled. I tried to learn more but resources are a bit too advanced for me. The first one, Itlb multihit is making me worry the most. Wikipedia says, "The CPU flag for VT-x capability is "vmx""
Does this mean, even though I've VT-x enabled in the BIOS, I can't use it for the sake of security? But it doesn't seem that VT-x is disabed. Even though it says "Mitigation: VMX disabled" running
grep -E --color=auto 'vmx|svm|0xc0f' /proc/cpuinfogives output. Shouldn't the 'vmx' flag be absent if VT-x is disabled by the kernel? Also according to this page of the Wiki my machine is capable to run KVM and it does! I've run
info kvm in the qemu monitor and it says "kvm support:enabled"
Does this mean it's using KVM without those extensions, without those extra instructions provided by VT-x technology? KVM without VT-x, is that possible?
Or is VT-x is not actually disabled and my system is left vulnerable? Will using KVM like this pose security threats on my host system in case the guest OS gets infected?
And what about other vulnerabilities? What limitations/risks will those pose while running KVM/QEMU?
Thanks for reading this much with an intention to help!
Last edited by Ridwan Rawriet (2022-03-10 06:47:33)
Offline
#2 2022-03-08 19:52:49
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,894
Re: [SOLVED] Itlb multihit & more.What problem will I face using KVM+QEMU?
vmx indicates as you wrote support for VT-x. VMXE is a bit in CR4 that needs to be set to start using VT-x. If you start a VM does the Itlb multihit message change to one of "KVM: Mitigation: Split huge pages" or "KVM: Vulnerable"?
Offline
#3 2022-03-08 20:15:34
- Ridwan Rawriet
- Member
- Registered: 2021-09-28
- Posts: 33
Re: [SOLVED] Itlb multihit & more.What problem will I face using KVM+QEMU?
thank goodness, it changes to KVM: Mitigation: Split huge pages, didn't know those were dynamic. Now can you tell me more about what this means? I can guess this is definitely better than KVM: Vulnerable!
The other 2 remain the same though. And it seems those are not as related to KVM as this.
Last edited by Ridwan Rawriet (2022-03-08 20:27:08)
Offline
#4 2022-03-08 20:40:21
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,894
Re: [SOLVED] Itlb multihit & more.What problem will I face using KVM+QEMU?
Have you read https://www.kernel.org/doc/html/latest/ … e/hw-vuln/ you have the default mitigations selected by the kernel developers. The link explains what threats that does not offer protection against.
Offline
#5 2022-03-10 06:46:36
- Ridwan Rawriet
- Member
- Registered: 2021-09-28
- Posts: 33
Re: [SOLVED] Itlb multihit & more.What problem will I face using KVM+QEMU?
Thanks I'll try to read and understand it as much as I can.
Offline