Some of these mitigations are available “optionally.” I mean like in the case of Vbox, as an example, the L1Df vuln can be mitigated on a per machine basis on commandline using “VBoxManage modifyvm…”
There are 4 total commands specific to this particular vuln, and documentation says “perf degradation can be SEVERE…”
I have these options enabled in my machines, including Whonix and do not notice any performance issues. Perhaps others would? I guess the chip makes a difference?
Commands: --l1d-flush-on-vm-entry on, --l1d-flush-on-sched on, --ibpb-on-vm-entry on, --ibpb-on-vm-exit on.
There is also a set of commands for other vulns that I have not enabled. According to logs on non-Whonix Debian virtual machines, with the above commands enabled, spectre v1 and v2 are mitigated, MDS is mitigated using a clearing of cpu buffers, but warns for full mitigation to turn off smt (hyperthreading). It lists Spec. Store bypass a still vulnerable though. Since Spec. Store Bypass has been mitigated on the host through a microcode update, is the VM still vulnerable? I am not sure.
On my host(s), everything is mitigated.
A copy of the vm logs:
Jan 28 20:33:32 host kernel: Spectre V1 : Mitigation: usercopy/swapgs barriers and __user pointer sanitization
Jan 28 20:33:32 host kernel: Spectre V2 : Mitigation: Full generic retpoline
Jan 28 20:33:32 host kernel: Spectre V2 : Spectre v2 / SpectreRSB mitigation: Filling RSB on context switch
Jan 28 20:33:32 host kernel: Speculative Store Bypass: Vulnerable
Jan 28 20:33:32 host kernel: MDS: Mitigation: Clear CPU buffers
EDIT: Here is a good list of mitigations that @Patrick posted some time ago:
https://github.com/Whonix/Whonix/blob/master/build-steps.d/2600_create-vbox-vm
Observations:
I notice that MDS mitigates along the same lines in the VM as on the hosts. Like if you mitigate mds on host, the virtual machine follows that and displays the same mitigation in the virtual machine. The Speculative Store Bypass does not for some reason, despite being mitigated on the host. Interesting though that for MDS, there is an associated VBoxManage command, 2 of them to clear on vm entry and/or on vm exit. There is also a --spec-ctl on | off option as well which I do not have enabled on the VMs.
On the Debian VMs, the only vulns listed as active is Speculative Store Bypass, and something called itlb_multithit according to /sys/devices/system/cpu/vulnerabilities. There is an entry for tsx_async_abort but it says “Not affected” inside the file. Obviously disabling hyperthreading on the host would take care of itlb_multihit. When it (hyperthreading) is disabled, the Debian VM is not vulnerable anymore.