[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Xen Project Spectre/Meltdown FAQ

  • To: "'Hans van Kranenburg'" <hans@xxxxxxxxxxx>, "'Peter'" <xen@xxxxxxxxxxxxxxxxxx>, "'Lars Kurth'" <lars.kurth.xen@xxxxxxxxx>
  • From: "Nathan March" <nathan@xxxxxx>
  • Date: Fri, 12 Jan 2018 09:17:06 -0800
  • Cc: 'Juergen Gross' <jgross@xxxxxxxx>, 'xen-devel' <xen-devel@xxxxxxxxxxxxxxxxxxxx>, 'Doug Goldstein' <cardoe@xxxxxxxxxx>
  • Delivery-date: Fri, 12 Jan 2018 17:17:20 +0000
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gt.net; h=from:to:cc :references:in-reply-to:subject:date:message-id:mime-version :content-type:content-transfer-encoding; q=dns; s=mail; b=V+cFll hafcycC5LzeA4KSTYOwKHUs4XZFi8SJneJLqTI8vmZ1vhhYpSXhNOVqJ/wPTd7cH 9/qDcPspxpI5IogUOoYvgoy+cfMFzB5yOoCBNsdkFzQAwchR4eg8LgtqHKgnqzsq XoqtO3rodHGKw4T7ZjetOhc+/JTrbLH/Dzaso=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
  • Thread-index: AQIdpPvrb+PS5DWlhxttSXvF9akqYQIylcEzAnJBAkIBqAHCcQI7ugUnAttwHNgC4dwT9QIXPiCHAriE950BocVyBAHD8Pp7oihrodA=

> > In the matrix I see "Is a user space attack on the guest kernel possible
> > (when running in a Xen VM)?" For PVH (and HVM) = Yes[1] where [1]
> > Impacts Intel CPUs only.
> >
> > Is there any mitigation for this?  i.e. How to protect a guest VM from
> > its own userspace processes.
> That part is handled by the kernel inside the guest. Xen doesn't see
> that happening.
> It's for example the KPTI/KAISER patches that got into the linux kernels
> now.

The most recent update to XSA-254 seems to clearly state that the kernel KPTI 
patches will not protect the guest from itself with the shim installed:

> PV-in-PVH/HVM shim approach leaves *guest* vulnerable to Meltdown
> attacks from its unprivileged users, even if the guest has KPTI
> patches.  That is, guest userspace can use Meltdown to read all memory
> in the same guest.

So the questions remains, how do you protect a guest from a malicious user 
inside of it?

Is it really the case that the *only* full solution to move to xen 4.10 and 
guest kernel 4.11?!


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.