Firmware/Microcode mitigations against CPU speculative execution vulnerabilities

  • Last updated on: 2018-04-10
  • Authored by: Marc Nourani

Rackspace continues to evaluate and address a set of speculative execution vulnerabilities affecting certain CPUs, commonly known as Meltdown and Spectre: CVE-2017-5753, CVE-2017-5715, CVE-2017-5754.

Vendors have begun to release firmware/microcode updates for specific platforms. Rackspace will perform testing based on standard practices and make updates available upon successful completion of this process. We are aware that these updates might impact performance to an extent dependent upon specific workloads, application usage, or I/O. Our testing will not account for customer-specific performance impact. If you have concerns related to performance impact, review vendor-provided guidance. Red Hat has provided information regarding potential performance impacts at Speculative Execution Exploit Performance Impacts.

As firmware/microcode updates become available, Rackspace will send a ticket to inform customers that one or more of their devices has available firmware/microcode updates. Customers must opt in to a maintenance window to install the firmware/microcode updates. Along with the updates, devices might require additional steps for guest OS and virtualization platforms to be fully remediated.

Guest OS and virtualization specifics

This section includes specific information for different operating systems (OSs) and services.

Linux OS

Linux operating systems require both a kernel update and firmware/microcode update, along with a subsequent reboot, for remediation against all known variants of the vulnerabilities. For those devices submitted for the opt-in maintenance, Rackspace will perform an audit to detect environment details that are likely to cause delays or issues during a kernel patch or reboot maintenance, and will take the steps necessary to remediate any issues that appear in the audit. If the device is not running a patched kernel, Rackspace will install the updated kernel prior to the firmware/microcode update and the subsequent reboot.

For additional information, see Linux OS mitigations against CPU speculative execution vulnerabilities.

Windows OS

After the firmware/microcode updates are installed, the application of three additional registry keys is required to fully remediate these vulnerabilities. Rackspace will add these remaining keys at the time of the firmware/microcode updates.

For additional information, see Windows OS mitigations against CPU speculative execution vulnerabilities.

VMware

After the firmware/microcode updates are installed, an ESXi upgrade might be necessary. In some cases, this upgrade might require a re-kick, resulting in downtime for virtual machines. Because of this, Rackspace will coordinate ESXi Hypervisor firmware/microcode updates separately and will not include them in the initial maintenance process.

For additional information, see VMware OS mitigations against CPU speculative execution vulnerabilities.

Hyper-V

After the firmware/microcode update is applied to the hypervisor, mitigation of the vulnerability will require patching the hypervisor OS, application of registry keys, and a firmware update. This process requires a reboot for both the OS and firmware updates, potentially resulting in downtime for virtual machines. Because of this, Rackspace will coordinate Hyper-V Hypervisor firmware/microcode updates separately and will not include them in the initial maintenance process.

For additional information, see Windows OS mitigations against CPU speculative execution vulnerabilities.

Managed Colocation

Customers on Managed Colocation environments can work with their Rackspace account team to schedule maintenance to install the firmware/microcode updates or they can download the updates and apply them on their own.

Continue the conversation in the Rackspace Community.