Results 1 to 3 of 3

Thread: No spectre-v2 vulnerability warnings after installing VirtualBox Guest Additions’ updates; questions

  1. #1

    Default No spectre-v2 vulnerability warnings after installing VirtualBox Guest Additions’ updates; questions

    I have been using 64-bit openSUSE Leap 42.3 Linux as a Virtual “Machine” (VM) within Oracle VM VirtualBox 5.2.8r121009. Since updating the version of the Linux kernel from probably 4.4.114-42-default to probably 4.4.120-45-default, on “booting” my computer or “virtual computer” into openSUSE I saw lots of warnings reading “system may be vulnerable to spectre v2.” In openSUSE’s YaST2 (Yet another Software Tool 2), Hardware information, Display, VirtualBox Graphics Adapter, Drivers,

    I found:

    Hwcfg Bus: pci
    Kernel Driver: vboxvideo
    Model: InnoTek Systemberatung VirtualBox Graphics Adapter
    Old Unique Key: ……. (I did not include this old unique key here, in case there could be a computer-security-related matter concerning it.)

    Following the instruction on https://en.opensuse.org/SDB:Configur..._cards#Symptom on the Internet I entered into the computer program LXTerminal

    sudo lspci -nnk | grep -A3 VGA
    .
    After entering my “superuser” or root-user password I received the response:

    00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef]
    Kernel driver in use: vboxvideo
    Kernel modules: vboxvideo
    00:03.0 Ethernet controller [0200]: Intel Corporation 82540EM Gigabit Ethernet Controller [8086:100e] (rev 02)

    Notice that the company name “Nvidia” does not appear anywhere in this above information.

    I “booted” my computer via “Advanced options for openSUSE 42.3” and my previously used kernel version 4.4.114-42-default, did not see the warning “system may be vulnerable to spectre v2,” and within YaST2, Hardware information, Display, VirtualBox Graphics Adapter, Drivers, found the same above information for such a request. The obvious conclusions were 1) that regarding the spectre-v2 vulnerability warnings the Linux kernel version 4.4.114-42-default seemed to be more suitable for the same, vboxvideo kernel driver and InnoTek Systemberatung VirtualBox Graphics Adapter model than the Linux kernel version 4.4.120-45-default and 2) that my video graphics adapter appeared not to be explicitly linked to the company Nvidia.

    In YaST2’s Software Management I did not find a a software-package entitled vboxvideo. But after adding the option “RPM finds” to the search in Software Management for vboxvideo I found that in its file list the software package virtualbox-guest-x11, version 5.1.32-42.1, included the files /usr/lib64/dri/vboxvideo_drv.so and /usr/lib64/xorg/modules/drivers/vboxvideo_drv.so. A logical pattern for me to follow toward eliminating the spectre-v2 vulnerability warnings from http://bugzilla.opensuse.org/show_bug.cgi?id=925437 on the Internet seemed to be for me to enter the commands

    zypper remove virtualbox-guest-x11
    zypper install –force virtualbox-guest-x11
    .

    This was what I hoped would be an application of a general, forced-reinstallation-of-the-video-driver procedure in my case. And a further hope was that this procedure would automatically force a rebuilding of the Linux kernel 4.4.120-45-default which would include my virtualbox-guest-x11, version 5.1.32-42.1, and its vboxvideo driver software (However, later, based on https://en.wikipedia.org/wiki/Loadable_kernel_module, I realized that the Linux kernel may not be rebuilt as a result of such installation; but perhaps one could hope that a VirtualBox Guest Additions kernel module might be rebuilt as a result of such installation. But no, as you may realize from my following writing here, I suppose that likely did not occur.). I did enter those above two commands as a “superuser” or root user. But afterward there was no indication that the Linux kernel was being rebuilt in that forced installation process. And after “booting” into 64-bit openSUSE Leap 42.3 using the Linux kernel 4.4.120-45-def, with “def” probably a shortened version of “default” appearing on a “boot menu,” the spectre-v2 vulnerability warnings were again displayed in my installation of the LXTerminal computer program. (Later I wondered if I should instead have executed the “remove” and “install –force” options in the “zypper” command on the software package virtualbox-guest-kmp-default or maybe one at a time on each of the software packages virtualbox-guest-kmp-default, virtualbox-guest-tools, and virtualbox-guest-x11. Would any of these actions have eliminated the spectre-v2 vulnerability warnings? And would a VirtualBox Guest Additions kernel module have been rebuilt as a result of one of those commands? I guess it would have been rebuilt as a result of at least one of those commands.)

    Based on a search performed within YaST2’s Software Manager I had the following software packages installed in openSUSE which have something to do with Nvidia: libdrm_nouveau2, libdrm_nouveau2-32bit, and drm-kmp-default. But since after entering the command “sudo lspci -nnk | grep -A3 VGA”, entering my “superuser” or root-user password, and receiving the response 00:02.0 VGA compatible controller [0300]: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter [80ee:beef], I guessed or supposed that Nvidia may have had little to do with my spectre-v2 vulnerability warnings. Rather I was suspicious that the Linux kernel version 4.4.120-45-default may not have been built to work completely well with my VirtualBox video driver, even though a) copying and pasting text between my host Window-10 operating system and my guest openSUSE operating system worked well and b) the contents of a folder shared by the host, Windows 10 and the guest, openSUSE operating systems could be seen in each of those two operating systems. So actually I should not have been too unhappy because all of the practical functions of VirtualBox Guest Additions that I desired were gratefully working for me!--It was only the spectre-v2 vulnerability warnings I wanted to have eliminated.

    But on March 29, 2018 updates for virtualbox-guest-x11 (version 5.1.32-42.1 [5.1.34-47.1]), virtualbox-guest-kmp-default (version 5.1.32_k4.4.104_39-42.1 [5.1.34_k4.4.120_45-47.1]), and virtualbox-guest-tools (version 5.1.32-42.1 [5.1.34-47.1]) became available for me through 64-bit openSUSE Leap 42.3 Linux software repositories. So I installed all of those updates in openSUSE. And gratefully I did not notice the spectre-v2 vulnerability warnings in two “boots” of my computer or “virtual computer” into openSUSE! Thanks for kindly solving this matter for me!

    Nevertheless in addition to my earlier, parenthetical questions in this posting, for my education I’d like to have someone or some people explain some things for me and/or answer some questions of mine. If I remember correctly when installing VirtualBox Guest Additions in some previous year I think either a kernel module and/or the whole Linux kernel was built or rebuilt. But based on https://en.wikipedia.org/wiki/Loadable_kernel_module on the Internet it appears that only a kernel module for VirtualBox Guest Additions may need to be built without requiring the whole Linux kernel to be rebuilt in order to make use of such a kernel module. In the course of updating virtualbox-guest-tools, virtualbox-guest-x11, and virtualbox-guest-kmp-default the installation of virtualbox-guest-kmp-default took perhaps some minutes of time. Although I was only informed with the word “Installing” during that period of time, was a VirtualBox Guest Additions kernel module being built during that period of time? Again, based on https://en.wikipedia.org/wiki/Loadable_kernel_module, I presume that a kernel update may ideally be designed so that both the old and new versions of the Linux kernel can make use of an available VirtualBox Guest Additions kernel module so that the Linux kernel will not have to be rebuilt after each kernel update in order to work with the VirtualBox Guest Additions kernel module. Then I presume that the spectre-v2 vulnerability warnings I received after a kernel update may have been due to some error of omission in making the new Linux kernel version 4.4.120-45-default which I am grateful has since been corrected. Is my thinking correct in this paragraph? If not, please correct it for me.

  2. #2

    Default Re: No spectre-v2 vulnerability warnings after installing VirtualBox Guest Additions’ updates; quest

    Sorry, the following sentence of mine might have been misleading: “Then I presume that the spectre-v2 vulnerability warnings I received after a kernel update may have been due to some error of omission in making the new Linux kernel version 4.4.120-45-default which I am grateful has since been corrected.” The fix or desirable change was made on the openSUSE or VirtualBox side by the installation of updated VirtualBox Guest Additions, not on the Linux kernel side. Since the previous version of the VirtualBox Guest Additions was working without the spectre-v2 vulnerability warnings with the Linux kernel 4.4.114-default, but had those warnings using the Linux kernel 4.4.120-45-default, it appears that the installation of the VirtualBox Guest Additions on March 29, 2018 was what made them work without the spectre-v2 vulnerability warnings and with the Linux kernel 4.4.120-45-default.

  3. #3

    Default Re: No spectre-v2 vulnerability warnings after installing VirtualBox Guest Additions’ updates; quest

    My mention of Nvidia in this "thread" of postings relates to https://bugzilla.suse.com/show_bug.cgi?id=1068032#c232 on the Internet. Thanks, moderator Henk van Velden, for in a private message informing me how to properly enclose a Uniform Resource Locator (URL) within a posting like this one.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •