Xen project Mailing List

Re: [Xen-devel] Xen Project Spectre/Meltdown FAQ

To: Lars Kurth <lars.kurth.xen@xxxxxxxxx>

From: Roger Pau Monné <roger.pau@xxxxxxxxxx>

Date: Mon, 8 Jan 2018 10:15:57 +0000

Cc: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Rich Persaud <persaur@xxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>

Delivery-date: Mon, 08 Jan 2018 10:16:10 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Jan 08, 2018 at 09:02:37AM +0000, Lars Kurth wrote: > > > On 7 Jan 2018, at 17:11, Andrew Cooper <andrew.cooper3@xxxxxxxxxx> wrote: > > > > > >>>> Since PVH does not yet support PCI passthrough, are there other > >>>> recommended SP3 mitigations for 64-bit PV driver domains? > >>> Lock them down? Device driver domains, even if not fully trusted, are > >>> going to be part of the system and therefore at least semi-TCB. > >>> > >>> If an attacker can't run code in your driver domain (and be aware of > >>> things like server side processing, JIT of SQL, etc as "running code" > >>> methods), they aren't in a position to mount an SP3 attack. > >> Well, the main reason why driver domains are used in Qubes OS is > >> assumption that it is not possible to really "lock them down", given > >> full OS (Linux) running inside and being exposed to the outside world > >> (having network adapters, USB controllers etc). There are so many > >> components running them, that for sure some of them are buggy. Just some > >> examples exploitable in the near past: DHCP client, Bluetooth stack. > >> > >> If we'd believe that handling those devices exposed to the outside world > >> is "safe", we wouldn't use driver domains at all... > > > > Indeed, but they are in a better position than arbitrary VMs, because > > users can't just log into them and start running code. (I really hope...) > > > I wanted to point out > https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00497.html > <https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00497.html> > which according to the cover letter is based on HVM and not PVH. I am not > really sure whether this would solve some of the problems around PCI > passthrough. The pv-shim should also work inside an HVM guest, we just use PVH because it's easier to setup from a toolstack PoV. The passthrough problem is going to be the same with either PVH or HVM, which is that the shim would have to provide something like pciback to the guest. Roger. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.