topic Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4 in ProLiant Servers (ML,DL,SL)

Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

ltfciano1 — Thu, 30 Aug 2018 09:21:56 GMT

I have servers on a customer site still showing as vulnerable to Spectre Variant #2, this is after applying the June 2018 SPP and the latest Red Hat patches for RHEL 7.4 (We need to stay at RHEL 7.4 for the moment and not jump to RHEL 7.5, for political rather than technical reasons). Running kernel is 3.10.0-693.37.4.el7.x86_64.

I have also installed the latest Mellanox firmware.

When running the Red Hat detection script from https://access.redhat.com/security/vulnerabilities/speculativeexecution I get:

Variant #2 (Spectre): Vulnerable: Retpoline with unsafe module(s)
CVE-2017-5715 - speculative execution branch target injection
- Kernel with mitigation patches: OK
- HW support / updated microcode: YES
- IBRS: Not disabled on kernel commandline
- IBPB: Not disabled on kernel commandline
- Retpolines: Not disabled on kernel commandline

$ sudo cat /sys/devices/system/cpu/vulnerabilities/spectre_v2
Vulnerable: Retpoline with unsafe module(s)

One server shows:

Another returns:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules
VULNERABLE - No Retpoline found - knem
VULNERABLE - No Retpoline found - mst_pciconf
VULNERABLE - No Retpoline found - mst_pci
VULNERABLE - No Retpoline found - tg3
VULNERABLE - No Retpoline found - hpsa

I have raised two HPE support cases, created a case with Red Hat and reported to the HPE vulnerability team.

Does anyone have experience in this area? What am I missing?

Looking at 'knem' for example I have July 2018 builds installed.

$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64

Name : kmod-knem

Build Date : Tue 03 Jul 2018 04:52:54 AM EDT

$ rpm -qi kmod-knem-1.1.3.90mlnx1-OFED.4.3.0.1.4.1.g8cf97c1.rhel7u4.x86_64

Name : kmod-knem

Build Date : Tue 03 Jul 2018 04:52:54 AM EDT

Thanks in advance,

Ian

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

Kashyap02 — Mon, 03 Sep 2018 04:40:15 GMT

Hi,

Please refer to the below advisory links.

https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00048185en_us

https://access.redhat.com/security/vulnerabilities/speculativeexecution

You have to install the updated drivers . The drivers are included in the custom SPP which can be obtained from http://retpoline.linux.hpe.com/

From,

HPE Technical Team Member

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

ltfciano1 — Mon, 03 Sep 2018 10:44:42 GMT

Thanks for the links Kashyap02, I don't know why suppport didn't provide these.

It's helped as tg3 and hpsa are no longer showing as vulnerable, but Mellanox drivers/firmware are still reporting:

$ awk '{module=$1; retpcheck="modinfo "module" | grep -c retpoline"; retpcheck | getline found; close(retpcheck); if (!found) {print "VULNERABLE - No Retpoline found - "module}}' /proc/modules

VULNERABLE - No Retpoline found - knem

VULNERABLE - No Retpoline found - mst_pciconf

VULNERABLE - No Retpoline found - mst_pci

This is despite installing the latest drivers I can locate on hpe.com and mellanox.com.

Re: Vulnerability to Spectre Variant #2 after patching DL380 Gen9 Server running RHEL 7.4

Kashyap02 — Fri, 14 Sep 2018 06:57:24 GMT

Below is the Mellanox Infiniband and Ethernet driver for RHEL.

https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_b15d40146fdb40d5a558ccb08b#tab-history

Verify the latest version is installed. If yes, I would suggest you to provide the below details and open a support ticket with HPE.

1. NIC details

2. Firmware and drivers installed

3. Vulnerability check result.

Thank you.
I am an HPE Employee