Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport fixes to v1.6 #4463

Merged
merged 2 commits into from
Feb 19, 2024
Merged

Backport fixes to v1.6 #4463

merged 2 commits into from
Feb 19, 2024

Conversation

zulinx86
Copy link
Contributor

@zulinx86 zulinx86 commented Feb 19, 2024
edited
Loading

Changes

Backport the following commits to v1.6:

Reason

To make the nightly PR test pass on v1.6 branch.

License Acceptance

By submitting this pull request, I confirm that my contribution is made under
the terms of the Apache 2.0 license. For more information on following Developer
Certificate of Origin and signing off your commits, please check
CONTRIBUTING.md.

PR Checklist

  • [ ] If a specific issue led to this PR, this PR closes the issue.
  • The description of changes is clear and encompassing.
  • [ ] Any required documentation changes (code and docs) are included in this
    PR.
  • [ ] API changes follow the Runbook for Firecracker API changes.
  • [ ] User-facing changes are mentioned in CHANGELOG.md.
  • All added/changed functionality is tested.
  • [ ] New TODOs link to an issue.
  • Commits meet
    contribution quality standards.
  • This functionality cannot be added in rust-vmm.

@zulinx86
fix: Add check for known vulnerabilities in guest
47ff180 
[ Upstream commit a823911 ]

There is a REPTAR exception reported on m6i.metal for
guest kernel versions 4.14/5.10/6.1 when spectre-meltdown-checker.sh
script is run inside the guest from below the tests:
test_spectre_meltdown_checker_on_guest and
test_spectre_meltdown_checker_on_restored_guest
The same script when run on host doesn't report the
exception which means the instances are actually not vulnerable to
REPTAR.
The only reason why the script cannot determine if the guest
is vulnerable or not is because Firecracker does not expose
the microcode version to the guest.

The check is check_CVE_2023_23583_linux in spectre-meltdown-checker.sh

Since we have a test on host and the exception in guest is not valid,
we add a check to ignore this exception.

There could be more such exceptions added to
check_vulnerabilities_on_guest() in the future but generalising this
function based on instance kernel versions etc. without more data
looked like overkill right now so,
the function handles the exception only for REPTAR and m6i.

Signed-off-by: Sudan Landge <[email protected]>
Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86 zulinx86 self-assigned this Feb 19, 2024
@zulinx86 zulinx86 added the Status: Awaiting review Indicates that a pull request is ready to be reviewed label Feb 19, 2024
@zulinx86 zulinx86 requested a review from wearyzen February 19, 2024 16:07
ShadowCurse
ShadowCurse previously approved these changes Feb 19, 2024
View reviewed changes
pb8o
pb8o previously approved these changes Feb 19, 2024
View reviewed changes
@codecov Codecov
Copy link

codecov bot commented Feb 19, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (f0e1938) 81.55% compared to head (a245a0a) 81.55%.

Additional details and impacted files 
@@                Coverage Diff                @@
##           firecracker-v1.6    #4463   +/-   ##
=================================================
  Coverage             81.55%   81.55%           
=================================================
  Files                   240      240           
  Lines                 29367    29367           
=================================================
  Hits                  23951    23951           
  Misses                 5416     5416
Flag Coverage Δ
4.14-c7g.metal 76.96% <ø> (ø)
4.14-m5d.metal 78.85% <ø> (-0.03%) ⬇️
4.14-m6a.metal 77.97% <ø> (ø)
4.14-m6g.metal 76.96% <ø> (ø)
4.14-m6i.metal 78.84% <ø> (ø)
5.10-c7g.metal 79.85% <ø> (ø)
5.10-m5d.metal 81.52% <ø> (-0.02%) ⬇️
5.10-m6a.metal 80.73% <ø> (ø)
5.10-m6g.metal 79.85% <ø> (ø)
5.10-m6i.metal 81.51% <ø> (ø)
6.1-c7g.metal 79.85% <ø> (ø)
6.1-m5d.metal 81.52% <ø> (-0.02%) ⬇️
6.1-m6a.metal 80.73% <ø> (ø)
6.1-m6g.metal 79.85% <ø> (ø)
6.1-m6i.metal 81.51% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@zulinx86 zulinx86 changed the title [Backport to v1.6] fix: Add check for known vulnerabilities in guest Backport fixes to v1.6 Feb 19, 2024
@zulinx86
tests: Install tools with --locked option
a245a0a 
[ Upstream commit 8bb8831 ]

Without `--locked` option, installing cargo tools may fail for some
reasons. `--locked` option is useful for reproducible installation since
it ensures to use the exact same set of dependencies.

Signed-off-by: Takahiro Itazuri <[email protected]>
@zulinx86 zulinx86 dismissed stale reviews from pb8o and ShadowCurse via a245a0a February 19, 2024 16:52
@zulinx86 zulinx86 requested a review from pb8o February 19, 2024 16:56
@zulinx86 zulinx86 merged commit 094f066 into firecracker-microvm:firecracker-v1.6 Feb 19, 2024
6 of 7 checks passed
@zulinx86 zulinx86 deleted the firecracker-v1.6 branch March 19, 2024 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wearyzen wearyzen wearyzen approved these changes

@pb8o pb8o pb8o approved these changes

@ShadowCurse ShadowCurse ShadowCurse left review comments

Assignees

@zulinx86 zulinx86

Labels
Status: Awaiting review Indicates that a pull request is ready to be reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zulinx86 @ShadowCurse @pb8o @wearyzen