[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] Clarification regarding Meltdown and 64-bit PV guests
On Sun, 14 Jan 2018, Hans van Kranenburg wrote: > On 14/01/2018 15:00, Dongli Zhang wrote: > > Hi Hans, > > > > On 01/13/2018 07:12 PM, Hans van Kranenburg wrote: > >> On 01/13/2018 11:08 AM, Andy Smith wrote: > >>> Hi Hans, > >>> > >>> On Sat, Jan 13, 2018 at 10:43:03AM +0100, Hans van Kranenburg wrote: > >>>> By injecting a copy of a hypervisor between the outer level hypervisor > >>>> (that's called L0 right?) (in HVM or PVH mode) and the guest, having it > >>>> just run 1 guest, that (64-bit PV) guest cannot attack its own kernel, > >>>> but it can attack the intermediate hypervisor which results in reading > >>>> it's own memory from the fake intermediate "host memory". > >>> > >>> So are you saying that, considering only SP3/Variant 3/Meltdown, it > >>> works out like this: > >>> > >>> == 64-bit PV mode guest == > >>> > >>> - Can't use SP3/Variant 3/Meltdown directly on its own kernel. > >>> > >>> - Can use SP3/Variant 3/Meltdown on the hypervisor to read data from > >>> hypervisor so effectively everything including other kernels and > >>> its own kernel. > >>> > >>> - Can't be mitigated by KPTI in the guest. > >>> > >>> == PV-in-Comet and PV-in-Vixen == > >>> > >>> - Can't use SP3/Variant 3/Meltdown directly on its own kernel > >>> > >>> - Can't use SP3/Variant 3/Meltdown on the real hypervisor. > >>> > >>> - Can still use SP3/Variant 3/Meltdown on the shim hypervisor to > >>> still gain access to data from itself. > >>> > >>> - Can't be mitigated by KPTI in the guest. > >>> > >>> == HVM and PVHv2 == > >>> > >>> - Can use SP3/Variant 3/Meltdown directly on its own kernel. > >>> > >>> - Can't use SP3/Variant 3/Meltdown on the hypervisor. > >>> > >>> - Can be mitigated by KPTI in the guest (becomes not a Xen issue). > >>> > >>> ? > >> > >> Exactly. > > > > Does this indicate that there is no solution to prevent a malicious user > > space > > program (running on 64-bit PV domU) from reading the memory of domU kernel > > space > > (via meltdown), no matter whether comet/vixen is enabled or not? > > > > Therefore, comet/vixen is only used to prevent the cross-VM meltdown attack. > > Yes. Keep an eye on this series, and future follow-ups: https://marc.info/?l=xen-devel&m=151601415717228 It mitigates Meltdown/SP3 for Xen without introducing an intermediate hypervisor. Thus, it protects Xen while retaining the property that the guest kernel is already protected from the guest userspace because it runs in a KPTI-like mode. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |