Spectre Warnings
A while ago on the office desktop running Slackware 14.2, I updated some VirtualBox Slackware 15.0 virtual machines (VMs). The 15.0 VM updates included the 5.15.63 kernel. Upon booting the VMs I noticed a new warning message:
RETBleed: WARNING: Spectre v2 mitigation leaves CPU vulnerable to RETBleed attacks, data leaks possible!
Harmless but annoying.
The messages seem related only to Slackware 15 and the 5.15.63 kernel. The only system where these VMs are launched is the office desktop. The CPU on that system is a 2.7 GHz Intel Core i5-6400 Skylake LGA 1151 Quad Core CPU. That CPU is affected by retbleed.
Within the VMs no mitigations are disabled at boot. Seems that should have been sufficient to thwart the warning message.
Running grep . /sys/devices/system/cpu/vulnerabilities/* showed the VMs were vulnerable to retbleed:
/sys/devices/system/cpu/vulnerabilities/retbleed:Vulnerable
Likewise when using a recent version of the lscpu command.
The Slackware change log shows the retbleed patches are included in the 5.15.63 kernel.
The message did not appear on physical 15.0 systems with the same kernel in the house network. That made sense because all of the other systems are older CPUs.
My first thought is with the office desktop I intentionally disable mitigations in the GRUB boot loader. I prefer not to respond with knee jerks every time a security exploit is discovered. While these types of exploits remain possible, I have yet to read of anybody actually using the exploits. The bane of the web seems to be one way for people to attack systems with these side channel exploits, but other than proof-of-concept I have not read of any known usage. To my understanding web browsers have been patched.
I booted the office desktop with the mitigations enabled. The boot warning message remained within the 15.0 VMs.
I booted the office desktop into the alternate Slackware 15.0 testing partition with the mitigations enabled. I expected and saw no such warnings at boot. Checking the retbleed vulnerability was mitigated. Yet the boot warning persisted with the 15.0 VMs.
All physical and virtual systems had the latest Intel microcode package installed.
Everything pointed to the warning message being related only to the VMs.
Time to surf the web.
I was already familiar with the Linux kernel mitigations=off boot parameter. A new retbleed=off parameter was introduced recently. The first option is the proverbial sledge hammer while the second option addresses only this new boot warning.
More surfing revealed that soon after the original kernel spectre side channel patches, a VirtualBox configuration option was introduced that I never noticed or needed.
vboxmanage modifyvm $VM_NAME --spec-ctrl on
Because of the performance impact of the mitigation patches, apparently for some time the default VirtualBox ignores the mitigations even when enabled on the host system. I had been oblivious of that default configuration until the recent retbleed warning.
Because of the potential performance degradation and I do not use the VMs in a way that could encourage a malicious attack — if any such attack actually exists, I decided the simple solution is to allow the default VirtualBox configuration and disable the annoying boot warning with retbleed=off.
Posted: Category: Usability Tagged: General, Virtual Machines
Next: SSH and Embedded Devices Redux
Previous: Monitoring Disk Usage