Nova Mitigation for MDS ("Microarchitectural Data Sampling") Security Flaws =========================================================================== Issue ----- Four new microprocessor flaws, known as [MDS](https://access.redhat.com/security/vulnerabilities/mds), have been discovered which will affect Nova Compute nodes and instances running on Intel x86_64 CPUs. Resolution ---------- To get mitigation for the said MDS security flaws, a new CPU flag, `md-clear`, needs to be exposed to the Nova instances. It can be done as follows. (1) Update the following components to the versions from your Linux distribution that has fixes for the MDS flaws, on all Compute nodes with Intel x86_64 CPUs: - microcode_ctl - kernel - qemu-system-x86 - libvirt (2) Live migrate all the Nova instances to another Compute node. (3) Ensure that the CPU flag `md-clear` is exposed to the Nova instance. It can be done so in one of the three following ways, given that OpenStack Nova supports three distinct CPU modes: a. `[libvirt]/cpu_mode = host-model` When using `host-model` CPU mode, the `md-clear` CPU flag will be passed through to the Nova guests automatically. This mode is the default, when `virt_type=kvm|qemu` is set in `/etc/nova/nova/conf` b. `[libvirt]/cpu_mode = host-passthrough` When using `host-passthrough` CPU mode, the `md-clear` CPU flag will be passed through to the Nova guests automatically. c. A specific custom CPU model — this can be enabled using the Nova config attributes: `[libvirt]/cpu_mode = custom` plus a particular named CPU model, e.g. `[libvirt]/cpu_model = IvyBridge` (The list of all valid named CPU models that are supported by your host, QEMU and libvirt can be found out by running the command `virsh domcapabilities`.) When using a custom CPU mode, you must *explicitly* enable the CPU flag `md-clear` to the Nova instances, in addition to the flags required for previous vulnerabilities, using the `cpu_model_extra_flags`. E.g. [libvirt] cpu_mode = custom cpu_model = IvyBridge cpu_model_extra_flags = spec-ctrl,ssbd,md-clear (4) Reboot the Compute node for the fixes to take effect. Once the above steps have been taken on every vulnerable compute node in the deployment, each running guest in the cluster must be fully powered down, and cold-booted (i.e. an explicit stop followed by a start), in order to activate the new CPU model. This can be done by the guest administrators at a time of their choosing. Validate that the fixes are in effect ------------------------------------- After applying relevant updates, administrators can check to ensure the patches are in effect by running either of the following (on the host): # dmesg | grep "MDS:" [ 0.162571] MDS: Vulnerable: Clear CPU buffers attempted, no microcode [ 181.862076] MDS: Mitigation: Clear CPU buffers # cat /sys/devices/system/cpu/vulnerabilities/mds Mitigation: Clear CPU buffers; SMT vulnerable On the host, validate that KVM is capable of exposing the `md-clear` flag to guests: # virsh domcapabilities kvm | grep md-clear Also, refer to the 'Diagnosis' tab in the main page: [MDS](https://access.redhat.com/security/vulnerabilities/mds). Performance Impact ------------------ Refer to the section titled "Performance Impact and Disabling MDS" in the main security notice, under the 'Resolve' tab: https://access.redhat.com/security/vulnerabilities/mds