Bug 49712

Summary:	Pass CPU microcode features for mitigation
Product:	UCS	Reporter:	Philipp Hahn <hahn>
Component:	Virtualization - UVMM	Assignee:	UCS maintainers <ucs-maintainers>
Status:	CLOSED WONTFIX	QA Contact:	UCS maintainers <ucs-maintainers>
Severity:	normal
Priority:	P5	CC:	requate
Version:	UCS 4.4
Target Milestone:	---
Hardware:	Other
OS:	Linux
URL:	https://help.univention.com/t/status-of-meltdown-spectre-and-foreshadow-l1tf-and-mds-security-issues-in-ucs/7678
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):
Max CVSS v3 score:
Bug Depends on:	49695
Bug Blocks:

Description Philipp Hahn

2019-06-24 13:34:14 CEST

Intel (and AMD) CPUs have several architectural flaws, which were patched by several microcode updates in the past:
- Spectre
- Meltdown
- Foreshadow / L1 Terminal Fault
- Microarchitectural Data Sampling

We already have updated the microcode-update-packages in UCS,
patched the Linux kernel to use it,
shipped updated Qemu packages allowing to pass through those new features,
and finally shipped an updated libvirt to enable it per VM.

Enabling new microcode features is a backward incompatible change, which is is visible to the VM and modifies the CPU save state: VM with those features enabled MUST NOT be migrated to hosts missing the updated packages.
As such those features are not enabled by default and must be enabled manually.

UVMM needs to be extended to at least allow configuring those features.
As the set of features depends on the exact CPU model, Bug #49695 needs to be addressed first.

Comment 1 Philipp Hahn

2023-06-28 10:44:07 CEST

UVMM and virtualization with UCS is deprecated and will no longer be developed in UCS 4.4; they have already been removed from UCS 5.0.