How to enable IBRS when it is disabled?

Question

I have been updating some servers to the latest patchlevels and wanted to check the security state regarding Meltdown, Spectre and Spectre-NG.

Using the current V 0.39+ of the spectre-meltdown-checker I was astonished about my findings in a VM running CentOS 7 with VMWare ESXi 6.5 (all patched up to date).

Here I found "vulnerable for Spectre 2".

Strange. That was patched months ago by using retpoline.

OK - the new check states that retpoline is not enough. But CentOS 7 is lacking RSB. So the only other remaining option is to enable IBRS.

Strangely it is not activated automatically at boot-time.

Since I do not want to write a init-script

echo 1 >/sys/kernel/debug/x86/ibrs_enabled

Which will turn on IBRS an will get rid of Spectre v2 (according to the test-results of the script).

The question is: What is the best way to enable IBRS permanently on boot?

I was not able to find an according kernel-option.

Probably relevant: https://access.redhat.com/articles/3311301 — Håkan Lindqvist, Oct 01 '18 at 08:09
But I see options such as `spectre_v2=ibrs_always` described in that article? — Håkan Lindqvist, Oct 01 '18 at 08:40

score 0 · Answer 1 · answered Oct 01 '18 at 20:21

0

1) Virtual Hardware Version 9 is minimum requirement for Hypervisor-Assisted Guest Mitigation for branch target injection (CVE-2017-5715)

2) Power Off and then Power On the virtual machine (Restart is insufficient)

Hypervisor-Assisted Guest Mitigation for Branch Target injection

answered Oct 01 '18 at 20:21

Mario Lenz

1,612
9
13

Already done that. The problem is within the VM. See comment from H. Lindqvist. – Nils Oct 02 '18 at 12:32

How to enable IBRS when it is disabled?

1 Answers1