Missing/incomplete/"unknown" data about CPU vulnerabilities
emanruse opened this issue · 3 comments
Qubes OS release
4.2.3
Brief summary
Some CPU vulnerabilities are reported with missing/incomplete info.
Steps to reproduce
grep . /sys/devices/system/cpu/vulnerabilities/*
or
lscpu
Expected behavior
Meaningful info about each vulnerability and mitigations.
Actual behavior
There is no actual info about some vulnerabilities. Examples of "unknown":
/sys/devices/system/cpu/vulnerabilities/srbds:Unknown: Dependent on hypervisor status
or
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data:Mitigation: Clear CPU buffers; SMT Host state unknown
The later one is additionally confusing considering, considering the output of journalctl:
[ 1.661691] dom0 kernel: cpu 1 spinlock event irq 141
[ 1.662029] dom0 kernel: MMIO Stale Data CPU bug present and SMT on, data leak possible. See https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html for more details.
[ 1.662046] dom0 kernel: cpu 2 spinlock event irq 142
[ 1.662049] dom0 kernel: cpu 3 spinlock event irq 143
In VMs (including dom0) the kernel doesn't have full information about the system. So (as the first message you quoted already hints at) you need to look at the hypervisor. Take a look at xl dmesg (or /var/log/xen/console/hypervisor.log) and see what Xen thinks. In particular the messages starting with Speculative mitigation facilities.
If you think that for a specific vulnerability Linux running inside a Xen VM actually should be able to determine whether the system is susceptible to it, that would be a feature request (or maybe bug) for upstream.
This issue has been closed as "not applicable." Here are some common examples of cases in which issues are closed as not applicable:
- Help and support requests (please see Help, support, mailing lists, and forum)
- Questions (please see Help, support, mailing lists, and forum)
- Discussion issues (please see Help, support, mailing lists, and forum)
- Bug reports for behavior that is already working as intended
- Enhancement requests to improve things that are already working as intended
- Issues that rest on mistaken assumptions or misunderstandings
- Issues that do not provide enough information
- Issues that are not actionable
We respect the time and effort you have taken to file this issue, and we understand that this outcome may be unsatisfying. Please accept our sincere apologies and know that we greatly value your participation and membership in the Qubes community.
Regarding help and support requests, please note that this issue tracker (qubes-issues) is not intended to serve as a help desk or tech support center. Instead, we've set up other venues where you can ask for help and support, ask questions, and have discussions. By contrast, the issue tracker is more of a technical tool intended to support our developers in their work. We thank you for your understanding.
If anyone reading this believes that this issue was closed in error or that the resolution of "not applicable" is not accurate, please leave a comment below saying so, and we will review this issue again. For more information, see How issues get closed.