[lustre-discuss] Are there any performance hits with the https://access.redhat.com/security/vulnerabilities/speculativeexecution?

E.S. Rosenberg esr+lustre at mail.hebrew.edu
Sat Jan 6 09:12:22 PST 2018


There is absolutely no argument from me that the Client side *has* to be
patched immediately, my question was only about server side which seems to
me to be at a mitigated risk due to the nature of the server.
I think we'll be switching to vanilla kernel on client side and seeing how
that works for us (at least until we migrate to server 2.10.x or 2.11).

Regards,
Eli

On Sat, Jan 6, 2018 at 12:29 AM, Marion Hakanson <hakansom at ohsu.edu> wrote:

> We may not need to apply these mitigations to Lustre servers,
> but a lot of Lustre code runs on the client systems.
>
> Let's say you run a multi-user research cluster;  Lab group A says
> that their data must not be seen by any user except those in Lab A, so
> user, group, and filesystem permissions are set to implement that policy.
>
> Lab groups B and C may not have malicious users, but they do download,
> compile, and run programs from collaborators, or from the Internet
> at large.  So they may inadvertently install and run some malicious
> code on that research cluster, and potentially expose Lab group A's
> data even though B and C users wouldn't normally have permissions
> to do so.
>
> Do you analyze every bit of code that runs on your research cluster?
> We don't have the resources to do so.
>
>
> A possible related issue:  In addition to the kernel-vs-user address space
> changes needed for Meltdown, there are also some code changes needed to
> prevent the Spectre type of attacks.  Those changes (function call/return
> conventions) need to happen in user-space code, but also in the kernel.
> I imagine that Lustre code itself could need these mods too, in order
> to be protected from attack code on client systems.
>
> https://newsroom.intel.com/wp-content/uploads/sites/11/2018/
> 01/Intel-Analysis-o
> f-Speculative-Execution-Side-Channels.pdf
>
> I didn't find any items matching "meltdown" or "spectre" in the HPDD
> Lustre JIRA just now, so perhaps work hasn't started on this yet.
>
> Regards,
>
> Marion
>
>
>
> > Date: Fri, 5 Jan 2018 13:31:23 -0500
> > From: Mark Hahn <hahn at mcmaster.ca>
> > To: Lustre discussion <lustre-discuss at lists.lustre.org>
> > Subject: Re: [lustre-discuss] Are there any performance hits with the
> >
> > > Also to what extent would a Lustre system that is essentially a filer
> be at
> > > risk? It's not running user code and you're not browsing from it...
> >
> > to be vulnerable, attack code must run on the system.
> > _______________________________________________
> > lustre-discuss mailing list
> > lustre-discuss at lists.lustre.org
> > http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
> >
>
>
> _______________________________________________
> lustre-discuss mailing list
> lustre-discuss at lists.lustre.org
> http://lists.lustre.org/listinfo.cgi/lustre-discuss-lustre.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lustre.org/pipermail/lustre-discuss-lustre.org/attachments/20180106/0c664655/attachment.html>


More information about the lustre-discuss mailing list