WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] HT Vulnerability CAN-2005-0109

To: "Nils Toedtmann" <xen-devel@xxxxxxxxxxxxxxxxxx>, "Mark Williamson" <mark.williamson@xxxxxxxxxxxx>
Subject: RE: [Xen-devel] HT Vulnerability CAN-2005-0109
From: "Ian Pratt" <m+Ian.Pratt@xxxxxxxxxxxx>
Date: Thu, 19 May 2005 11:59:37 +0100
Cc: david.hopwood@xxxxxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 19 May 2005 10:59:13 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcVcXpD5lnymn8jrTcuYwlX6UP/DwAAAcoJA
Thread-topic: [Xen-devel] HT Vulnerability CAN-2005-0109
 
> At the moment, they release quick workarounds like hardening 
> crypto libs against timing attacks
> 
>   <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=157631>

This is the correct soloution. I was rather shocked to find the crypto
libs weren't already hardened for such attacks. It's not as though this
is anything new, just a higher bandwidth version of something that has
been known about for years.

> or disabling HT

This is not necessary on Xen. Just allocate domains to CPUs such that
you don't put potentially non-cooperative domains on the same core. E.g.
if you're using dom0 just for running the control tool and device
drivers, just give it one hyperthread and don't allow any other domain
to use it. This is a pretty sensible way to use HT with Xen anyhow.

Ian


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel