10.2. Managing Dynamic Mitigation of Intel CPU Vulnerabilities

Starting from Virtuozzo Hybrid Server 7.5, mitigations for a number of Intel CPU vulnerabilities are enabled and disabled in real time based on host workload. The vulnerabilities include the ones that, if left unmitigated, may allow a malicious actor inside a VM or container to run arbitary code on the host or in other virtual environments on that host. As these mitigations may reduce host performance, it makes sense to disable them when virtual environments are not running or when the host is only used for Virtuozzo Storage and VEs are not needed at all.

In general, mitigations are managed by kernel flags provided by microcode updates or kernel patches. For a mitigation to be enabled, one or more flags need to be set to certain values that depend on a CPU.

Virtuozzo Hybrid Server comes with all the applicable microcode updates and kernel patches. All supported mitigations are enabled by default. Dynamic mitigation management is also enabled by default (see the end of this section). It works as follows:

  1. When a host boots, the memory management daemon vcmmd saves the state of enabled mitigations by saving the values of these kernel flags from /sys/kernel/debug/x86/:

    • pti_enabled, Page Table Isolation, addresses Meltdown

    • ibrs_enabled, Indirect Branch Restricted Speculation, addresses Spectre-V2

    • retp_enabled, Retpolines, addresses Spectre-V2

    • ibpb_enabled, Indirect Branch Prediction Barriers, addresses Spectre-V2


      This flag is now read-only. It is set when either ibrs_enabled or retp_enabled is set.

    • ssbd_enabled, Speculative Store Bypass Disable, addresses Spectre-NG-V4

  2. If no virtual environments are running, vcmmd sets the flags to 0 to disable mitigations and speed up the node.

  3. As soon as the first VM or container starts, vcmmd restores the original state of the flags to enable mitigations.

  4. As soon as the last VM or container stops, vcmmd sets the flags to 0 to disable mitigations and speed up the node.

Dynamic mitigations management is controlled by the EnableMitigationsManagement parameter in /etc/vz/vcmmd.conf, which is set to true by default:

# vcmmdctl config -f > /etc/vz/vcmmd.conf
# cat /etc/vz/vcmmd.conf | grep EnableMitigationsManagement
 "EnableMitigationsManagement": true,

You can disable this feature by setting the parameter to false and restarting VCMMD (see Restarting VCMMD).