On 5/15/19 7:57 AM, Thomas Lamprecht wrote: > With some manual merging, most of it straight forward, cherry-pick > the all but the two PowerPC and S390 patches from the 4.14.119 > released by Greg KH[0]. It mainly comes with some mitigation for > MDS[1][3][4][5], for best result a microupdate of the CPU is > required, else the kernel falls back to some "best effort > mitigation", trying to clear the CPU buffers on kernel/userspace, > hypervisor/guest and C-state (idle) transitions. > > With this applied you will have a new file in sysfs to get the > mitigation state of the server regarding MDS: > $ cat /sys/devices/system/cpu/vulnerabilities/mds > > Microcode updates should come available in stretch with > 3.20190514.1~deb9u1 [2] version currently only tagged[2], but not yet > released. > > [0]: https://lwn.net/ml/linux-kernel/20190514180538.ga13...@kroah.com/ > [1]: > https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html#mitigation-strategy > [2]: > https://salsa.debian.org/hmh/intel-microcode/commits/debian/3.20190514.1_deb9u1 > [3]: https://mdsattacks.com/ > [4]: https://cpu.fail/ > [5]: > https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html > > Signed-off-by: Thomas Lamprecht <t.lampre...@proxmox.com> > ---
See also the 5.1.2 stable release announcement[0] for some other links and a little more details from Linux perspective. As stated, this is probably not final and may break some things, that said, my build here worked well without issues in a physical cluster with VMs, CTs and ceph, so at least this isn't broken in a obvious way. A look over this (@Fabian ;-) would still be great. [0]: https://www.spinics.net/lists/stable/msg302862.html _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
