Bug#1004652: linux-image-5.10.0-11-amd64: should default to disabling nested virtualisation in kvm
Package: src:linux
Version: 5.10.92-1
Severity: wishlist
https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html
The above blog post describes a security issue on AMD CPUs with nested KVM
enabled and refers to another post about previous issues with KVM on Intel.
The vast majority of KVM users don't use nested KVM. As it's easy to
determine whether nested KVM is enabled (if you have a reason to look for
it) it won't be a great inconvenience to users of nested KVM to default to
disabling it. But for the majority who don't have a need for it enabling
that feature by default increases the attack surface for no benefit and they
won't notice it.
I believe that the default for KVM should be to disable nested virtualisation.
This could be done by a kernel patch or by the configuration of kmod. I think
it's best to get the kernel people to consider it first, we can transfer the
bug to kmod if you think that's best.
For users who read this, the following in /etc/modprobe.d/kvm.conf will cause
nested virtualisation to be disabled the next time the KVM module is loaded:
options kvm_intel nested=0
options kvm_amd nested=0
-- Package-specific info:
** Version:
Linux version 5.10.0-11-amd64 (debian-kernel@lists.debian.org) (gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2) #1 SMP Debian 5.10.92-1 (2022-01-18)
** Command line:
BOOT_IMAGE=/vmlinuz-5.10.0-11-amd64 root=UUID=6b40496e-ccb0-48fd-8764-167e82fcd779 ro security=selinux nosmt lockdown=confidentiality zswap.enabled=on quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
** Not tainted
** Kernel log:
Unable to read kernel log; any relevant messages should be attached
** Model information
sys_vendor: LENOVO
product_name: 34602B9
product_version: ThinkPad X1 Carbon
chassis_vendor: LENOVO
chassis_version: Not Available
bios_vendor: LENOVO
bios_version: G6ETB8WW (2.78 )
board_vendor: LENOVO
board_name: 34602B9
board_version: Not Defined
** Loaded modules:
ufs
qnx4
hfsplus
hfs
cdrom
minix
vfat
msdos
fat
jfs
xfs
loop
ctr
ccm
uinput
binfmt_misc
ext4
crc16
mbcache
jbd2
intel_rapl_msr
intel_rapl_common
x86_pkg_temp_thermal
intel_powerclamp
iwldvm
coretemp
mac80211
kvm
snd_hda_codec_hdmi
irqbypass
crc32_pclmul
libarc4
snd_hda_codec_realtek
wmi_bmof
mei_wdt
mei_hdcp
snd_hda_codec_generic
iTCO_wdt
intel_pmc_bxt
iTCO_vendor_support
watchdog
iwlwifi
snd_hda_intel
snd_intel_dspcfg
soundwire_intel
soundwire_generic_allocation
sdhci_pci
snd_soc_core
ghash_clmulni_intel
rapl
cqhci
snd_compress
intel_cstate
cfg80211
soundwire_cadence
sdhci
intel_uncore
snd_hda_codec
sg
mmc_core
pcspkr
wmi
tpm_tis
snd_hda_core
thinkpad_acpi
snd_hwdep
tpm_tis_core
soundwire_bus
nvram
xhci_pci
tpm
ledtrig_audio
ac
battery
snd_pcm
xhci_hcd
ehci_pci
rfkill
ehci_hcd
rng_core
snd_timer
snd
mei_me
i2c_i801
soundcore
intel_smartconnect
usbcore
button
mei
usb_common
soc_button_array
i2c_smbus
lpc_ich
fuse
configfs
ip_tables
x_tables
autofs4
btrfs
blake2b_generic
dm_crypt
dm_mod
raid10
raid456
async_raid6_recov
async_memcpy
async_pq
async_xor
async_tx
libcrc32c
crc32c_generic
xor
raid6_pq
raid1
raid0
multipath
linear
md_mod
sd_mod
t10_pi
crc_t10dif
crct10dif_generic
crct10dif_pclmul
crct10dif_common
crc32c_intel
i915
ahci
libahci
libata
aesni_intel
i2c_algo_bit
glue_helper
libaes
crypto_simd
drm_kms_helper
psmouse
evdev
cryptd
serio_raw
cec
scsi_mod
drm
video
** PCI devices:
00:00.0 Host bridge [0600]: Intel Corporation 3rd Gen Core processor DRAM Controller [8086:0154] (rev 09)
Subsystem: Lenovo 3rd Gen Core processor DRAM Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ >SERR- <PERR- INTx-
Latency: 0
IOMMU group: 0
Capabilities: <access denied>
Kernel driver in use: ivb_uncore
00:02.0 VGA compatible controller [0300]: Intel Corporation 3rd Gen Core processor Graphics Controller [8086:0166] (rev 09) (prog-if 00 [VGA controller])
Subsystem: Lenovo 3rd Gen Core processor Graphics Controller [17aa:21f9]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 27
IOMMU group: 1
Region 0: Memory at f0000000 (64-bit, non-prefetchable) [size=4M]
Region 2: Memory at e0000000 (64-bit, prefetchable) [size=256M]
Region 4: I/O ports at 5000 [size=64]
Expansion ROM at 000c0000 [virtual] [disabled] [size=128K]
Capabilities: <access denied>
Kernel driver in use: i915
00:14.0 USB controller [0c03]: Intel Corporation 7 Series/C210 Series Chipset Family USB xHCI Host Controller [8086:1e31] (rev 04) (prog-if 30 [XHCI])
Subsystem: Lenovo 7 Series/C210 Series Chipset Family USB xHCI Host Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 29
IOMMU group: 2
Region 0: Memory at f1500000 (64-bit, non-prefetchable) [size=64K]
Capabilities: <access denied>
Kernel driver in use: xhci_hcd
00:16.0 Communication controller [0780]: Intel Corporation 7 Series/C216 Chipset Family MEI Controller #1 [8086:1e3a] (rev 04)
Subsystem: Lenovo 7 Series/C216 Chipset Family MEI Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin A routed to IRQ 28
IOMMU group: 3
Region 0: Memory at f1515000 (64-bit, non-prefetchable) [size=16]
Capabilities: <access denied>
Kernel driver in use: mei_me
00:1a.0 USB controller [0c03]: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller #2 [8086:1e2d] (rev 04) (prog-if 20 [EHCI])
Subsystem: Lenovo 7 Series/C216 Chipset Family USB Enhanced Host Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 16
IOMMU group: 4
Region 0: Memory at f151a000 (32-bit, non-prefetchable) [size=1K]
Capabilities: <access denied>
Kernel driver in use: ehci-pci
00:1b.0 Audio device [0403]: Intel Corporation 7 Series/C216 Chipset Family High Definition Audio Controller [8086:1e20] (rev 04)
Subsystem: Lenovo 7 Series/C216 Chipset Family High Definition Audio Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 30
IOMMU group: 5
Region 0: Memory at f1510000 (64-bit, non-prefetchable) [size=16K]
Capabilities: <access denied>
Kernel driver in use: snd_hda_intel
00:1c.0 PCI bridge [0604]: Intel Corporation 7 Series/C216 Chipset Family PCI Express Root Port 1 [8086:1e10] (rev c4) (prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 16
IOMMU group: 6
Bus: primary=00, secondary=02, subordinate=02, sec-latency=0
I/O behind bridge: 00004000-00004fff [size=4K]
Memory behind bridge: f0d00000-f14fffff [size=8M]
Prefetchable memory behind bridge: 00000000f0400000-00000000f0bfffff [size=8M]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort+ <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1c.1 PCI bridge [0604]: Intel Corporation 7 Series/C210 Series Chipset Family PCI Express Root Port 2 [8086:1e12] (rev c4) (prog-if 00 [Normal decode])
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin B routed to IRQ 17
IOMMU group: 7
Bus: primary=00, secondary=03, subordinate=03, sec-latency=0
I/O behind bridge: [disabled]
Memory behind bridge: f0c00000-f0cfffff [size=1M]
Prefetchable memory behind bridge: [disabled]
Secondary status: 66MHz- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- <SERR- <PERR-
BridgeCtl: Parity- SERR+ NoISA- VGA- VGA16- MAbort- >Reset- FastB2B-
PriDiscTmr- SecDiscTmr- DiscTmrStat- DiscTmrSERREn-
Capabilities: <access denied>
Kernel driver in use: pcieport
00:1d.0 USB controller [0c03]: Intel Corporation 7 Series/C216 Chipset Family USB Enhanced Host Controller #1 [8086:1e26] (rev 04) (prog-if 20 [EHCI])
Subsystem: Lenovo 7 Series/C216 Chipset Family USB Enhanced Host Controller [17aa:21f9]
Control: I/O- Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin A routed to IRQ 23
IOMMU group: 8
Region 0: Memory at f1519000 (32-bit, non-prefetchable) [size=1K]
Capabilities: <access denied>
Kernel driver in use: ehci-pci
00:1f.0 ISA bridge [0601]: Intel Corporation QS77 Express Chipset LPC Controller [8086:1e56] (rev 04)
Subsystem: Lenovo QS77 Express Chipset LPC Controller [17aa:21f9]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
IOMMU group: 9
Capabilities: <access denied>
Kernel driver in use: lpc_ich
00:1f.2 SATA controller [0106]: Intel Corporation 7 Series Chipset Family 6-port SATA Controller [AHCI mode] [8086:1e03] (rev 04) (prog-if 01 [AHCI 1.0])
Subsystem: Lenovo 7 Series Chipset Family 6-port SATA Controller [AHCI mode] [17aa:21f9]
Control: I/O+ Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz+ UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0
Interrupt: pin B routed to IRQ 26
IOMMU group: 9
Region 0: I/O ports at 5088 [size=8]
Region 1: I/O ports at 5094 [size=4]
Region 2: I/O ports at 5080 [size=8]
Region 3: I/O ports at 5090 [size=4]
Region 4: I/O ports at 5060 [size=32]
Region 5: Memory at f1518000 (32-bit, non-prefetchable) [size=2K]
Capabilities: <access denied>
Kernel driver in use: ahci
00:1f.3 SMBus [0c05]: Intel Corporation 7 Series/C216 Chipset Family SMBus Controller [8086:1e22] (rev 04)
Subsystem: Lenovo 7 Series/C216 Chipset Family SMBus Controller [17aa:21f9]
Control: I/O+ Mem+ BusMaster- SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap- 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Interrupt: pin C routed to IRQ 18
IOMMU group: 9
Region 0: Memory at f1514000 (64-bit, non-prefetchable) [size=256]
Region 4: I/O ports at efa0 [size=32]
Kernel driver in use: i801_smbus
02:00.0 System peripheral [0880]: Ricoh Co Ltd MMC/SD Host Controller [1180:e822] (rev 07) (prog-if 01)
Subsystem: Lenovo MMC/SD Host Controller [17aa:21f3]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx-
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 16
IOMMU group: 10
Region 0: Memory at f0d00000 (32-bit, non-prefetchable) [size=256]
Capabilities: <access denied>
Kernel driver in use: sdhci-pci
03:00.0 Network controller [0280]: Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] [8086:0085] (rev 96)
Subsystem: Intel Corporation Centrino Advanced-N 6205 [Taylor Peak] [8086:c220]
Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV- VGASnoop- ParErr- Stepping- SERR- FastB2B- DisINTx+
Status: Cap+ 66MHz- UDF- FastB2B- ParErr- DEVSEL=fast >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
Latency: 0, Cache Line Size: 64 bytes
Interrupt: pin A routed to IRQ 31
IOMMU group: 11
Region 0: Memory at f0c00000 (64-bit, non-prefetchable) [size=8K]
Capabilities: <access denied>
Kernel driver in use: iwlwifi
** USB devices:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 005: ID 04f2:b315 Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 004: ID 0a5c:21e6 Broadcom Corp. BCM20702 Bluetooth 4.0 [ThinkPad]
Bus 001 Device 003: ID 147e:2020 Upek TouchChip Fingerprint Coprocessor (WBF advanced mode)
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-11-amd64 (SMP w/2 CPU threads)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages linux-image-5.10.0-11-amd64 depends on:
ii initramfs-tools [linux-initramfs-tool] 0.140
ii kmod 28-1
ii linux-base 4.6
Versions of packages linux-image-5.10.0-11-amd64 recommends:
ii apparmor 2.13.6-10
ii firmware-linux-free 20200122-1
Versions of packages linux-image-5.10.0-11-amd64 suggests:
pn debian-kernel-handbook <none>
ii grub-pc 2.04-20
pn linux-doc-5.10 <none>
Versions of packages linux-image-5.10.0-11-amd64 is related to:
pn firmware-amd-graphics <none>
pn firmware-atheros <none>
pn firmware-bnx2 <none>
pn firmware-bnx2x <none>
pn firmware-brcm80211 <none>
pn firmware-cavium <none>
pn firmware-intel-sound <none>
pn firmware-intelwimax <none>
pn firmware-ipw2x00 <none>
pn firmware-ivtv <none>
ii firmware-iwlwifi 20210315-3
pn firmware-libertas <none>
pn firmware-linux-nonfree <none>
ii firmware-misc-nonfree 20210315-3
pn firmware-myricom <none>
pn firmware-netxen <none>
pn firmware-qlogic <none>
pn firmware-realtek <none>
pn firmware-samsung <none>
pn firmware-siano <none>
pn firmware-ti-connectivity <none>
pn xen-hypervisor <none>
-- no debconf information
Reply to: