[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Project Spectre/Meltdown FAQ

On 7 Jan 2018, at 17:11, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote:

Since PVH does not yet support PCI passthrough, are there other
recommended SP3 mitigations for 64-bit PV driver domains?
Lock them down?  Device driver domains, even if not fully trusted, are
going to be part of the system and therefore at least semi-TCB.

If an attacker can't run code in your driver domain (and be aware of
things like server side processing, JIT of SQL, etc as "running code"
methods), they aren't in a position to mount an SP3 attack.
Well, the main reason why driver domains are used in Qubes OS is
assumption that it is not possible to really "lock them down", given
full OS (Linux) running inside and being exposed to the outside world
(having network adapters, USB controllers etc). There are so many
components running them, that for sure some of them are buggy. Just some
examples exploitable in the near past: DHCP client, Bluetooth stack.

If we'd believe that handling those devices exposed to the outside world
is "safe", we wouldn't use driver domains at all...

Indeed, but they are in a better position than arbitrary VMs, because
users can't just log into them and start running code.  (I really hope...)

I wanted to point out https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00497.html which according to the cover letter is based on HVM and not PVH. I am not really sure whether this would solve some of the problems around PCI passthrough. 

Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.