By default, mitigations for vulnerabilities are enabled in Alibaba Cloud Linux 3. However, these mitigations affect system performance. You can disable mitigations for vulnerabilities as needed. This topic describes the CPU vulnerabilities that are present in Alibaba Cloud Linux 3, files that indicate the mitigation status of CPU vulnerabilities, and how to disable mitigations for CPU vulnerabilities.
Background information
In January 2018, Google Project Zero disclosed a new class of vulnerabilities, known as Spectre and Meltdown, that affect modern processors. Attackers may exploit these vulnerabilities to steal privileged data, severely compromising system security. Spectre and Meltdown vulnerabilities are present in most mainstream processors, including Intel, AMD, and ARM processors, and have attracted much attention since the initial disclosure. Alibaba Cloud products are inevitably affected by the vulnerabilities. Mainstream operating systems, including Linux operating systems, provide software mitigations for vulnerabilities. Spectre and Meltdown vulnerabilities continue to evolve into more variants and types from their first disclosure back in January 2018, and are expected to linger for a long time.
Spectre and Meltdown vulnerabilities exploit the speculative execution and out-of-order execution features on processor hardware that are necessary for processor performance improvement. Mitigations for Spectre and Meltdown vulnerabilities degrade CPU performance.
In most cases, software mitigations can only mitigate the vulnerabilities but cannot eliminate them.
Vulnerabilities
Alibaba Cloud Linux 3 supports x86 processors and Arm64 processors. x86 processors and Arm64 processors deal with CPU vulnerabilities differently. The following tables describe the x86-specific and Arm64-specific CPU vulnerabilities and how to disable mitigations for the vulnerabilities in the kernel boot cmdline.
x86
CVE | Path to the mitigation status file① | Default handling method | Method for disabling mitigations |
/sys/devices/system/cpu/vulnerabilities/spectre_v1 | By default, mitigations are enabled. | Mitigations are force enabled and cannot be disabled. | |
/sys/devices/system/cpu/vulnerabilities/spectre_v1 | By default, mitigations are enabled. | Add the | |
/sys/devices/system/cpu/vulnerabilities/spectre_v2 | By default, mitigations are enabled. | Add the | |
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass | Mitigations are enabled by the kernel based on hardware features. | Add one of the following parameters:
| |
/sys/devices/system/cpu/vulnerabilities/meltdown | By default, mitigations are enabled. | Add one of the following parameters:
| |
/sys/devices/system/cpu/vulnerabilities/l1tf | By default, mitigations are enabled. | Add the | |
/sys/devices/system/cpu/vulnerabilities/mds | By default, mitigations are enabled. | Add the following parameters:
| |
/sys/devices/system/cpu/vulnerabilities/srbds | By default, a microcode mitigation is provided. | Add the | |
/sys/devices/system/cpu/vulnerabilities/mmio_stale_data | By default, mitigations are enabled. | Add the following parameters:
| |
/sys/devices/system/cpu/vulnerabilities/tsx_async_abort | By default, mitigations are enabled. | Add the following parameters:
| |
/sys/devices/system/cpu/vulnerabilities/retbleed | By default, mitigations are enabled. | Add the Note Only kernel version | |
N/A | N/A | N/A | Add the |
ARM64
CVE | Path to the mitigation status file① | Default handling method | Method for disabling mitigations |
/sys/devices/system/cpu/vulnerabilities/spectre_v1 | By default, mitigations are enabled. | Mitigations are force enabled and cannot be disabled. | |
/sys/devices/system/cpu/vulnerabilities/spectre_v2 | By default, mitigations are enabled. | Add the | |
/sys/devices/system/cpu/vulnerabilities/spectre_v2 | By default, mitigations are enabled. | Add the Note Only kernel version | |
/sys/devices/system/cpu/vulnerabilities/spec_store_bypass | By default, mitigations are enabled. | Add the | |
/sys/devices/system/cpu/vulnerabilities/meltdown | By default, mitigations are enabled. | Add the | |
N/A | N/A | N/A | Add the |
① Migration status files indicate whether CPUs on Alibaba Cloud Linux 3 instances are vulnerable and which mitigations are active. Valid values in the files:
Not affected: The CPU is not vulnerable.Vulnerable: The CPU is vulnerable, and mitigations are disabled.Mitigation: The CPU is vulnerable, and mitigations are enabled.
Procedure
This section describes how to disable mitigations for a CPU vulnerability in Alibaba Cloud Linux 3. In this example, the Spectre Variant 2 vulnerability is used.
Connect to an Alibaba Cloud Linux 3 instance.
For more information, see Connect to a Linux instance by using a password or key.
Run the following command to add the
nospectre_v2parameter to the default kernelboot cmdlineto disable mitigations for the Spectre Variant 2 vulnerability:grubby --update-kernel=`grubby --default-kernel` --args='nospectre_v2'Run the following command to restart the instance to apply the configurations:
rebootRun the following command to view the mitigation status file for Spectre Variant 2 and check whether mitigations for the Spectre Variant 2 vulnerability are disabled:
cd /sys/devices/system/cpu/vulnerabilities/ for i in `ls`;do echo -n $i": ";cat $i;doneA command similar to the following one is displayed.
spectre_v2: Vulnerableindicates that the Spectre Variant 2 vulnerability is available in the CPU and mitigations for this vulnerability are disabled.