ModEdit; related ticket: #17987: VirtualBox 5.2.18 vulnerable to spectre/meltdown despite microcode being installed
How to reproduce:
A host running Debian stretch.
Using VirtualBox version 5.2.18.
A guest running Debian stretch.
Host using stretch-backports with get access to newer microcode. (Old versions are incapable to show spectre/meltdown fixed.)
spectre-meltdown-checker being installed on host and in guest from stretch-backports. (Old versions are incapable to show spectre/meltdown fixed.)
- Code: Select all Expand viewCollapse view
sudo su -c "echo -e 'deb http://http.debian.net/debian stretch-backports main contrib non-free' > /etc/apt/sources.list.d/backports.list"
- Code: Select all Expand viewCollapse view
sudo apt-get update
- Code: Select all Expand viewCollapse view
sudo apt-get -t stretch-backports install spectre-meltdown-checker
Suppose microcode being installed.
Intel:
- Code: Select all Expand viewCollapse view
sudo apt-get -t stretch-backports install intel-microcode
Amd:
- Code: Select all Expand viewCollapse view
sudo apt-get -t stretch-backports install amd64-microcode
Suppose running spectre-meltdown-checker on the host looks fine.
- Code: Select all Expand viewCollapse view
sudo spectre-meltdown-checker --paranoid ; echo $?
By fine I mean exit code 0 and not showing "vulnerable".
Suppose using all VirtualBox spectre/meltdown defense options.
- Code: Select all Expand viewCollapse view
VBoxManage modifyvm vm-name --ibpb-on-vm-entry on
- Code: Select all Expand viewCollapse view
VBoxManage modifyvm vm-name --ibpb-on-vm-exit on
- Code: Select all Expand viewCollapse view
VBoxManage modifyvm vm-name --spec-ctrl on
- Code: Select all Expand viewCollapse view
VBoxManage modifyvm vm-name --l1d-flush-on-sched off
(These options were introduced in VirtualBox version 5.2.18.)
Expected result:
spectre-meltdown-checker in guest VM saying "all fine".
- Code: Select all Expand viewCollapse view
sudo spectre-meltdown-checker --paranoid ; echo $?
By fine I mean exit code 0 and not showing "vulnerable".
Actual result:
spectre-meltdown-checker reporting vulnerable.
Questions:
Can you reproduce the same issue?
Were all necessary steps performed to protect the guest from spectre/meltdown?
Is this a VirtualBox issue or false-positive in spectre-meltdown-checker?