[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 1/2] x86: Meltdown band-aid against malicious 64-bit PV guests

On Tue, Jan 16, 2018 at 5:28 PM, Andy Smith <andy@xxxxxxxxxxxxxx> wrote:
> Hi Jan,
> On Tue, Jan 16, 2018 at 08:21:52AM -0700, Jan Beulich wrote:
>> This is a very simplistic change limiting the amount of memory a running
>> 64-bit PV guest has mapped (and hence available for attacking): Only the
>> mappings of stack, IDT, and TSS are being cloned from the direct map
>> into per-CPU page tables.
> Can this be used with Comet/Vixen to further protect PV guests? i.e.
> if the shim hypervisor has these changes then will it also limit
> what a process in the PV guest can see in that shim hypervisor,
> which therefore protects its own guest kernel a bit too?

Technically, yes, it should.

 1) It should be unnecessary.  If you're running PV with the
"bandaid", you should be reasonably safe without using the shim
 2) The shim adds nearly 40% overhead in my words-case tests; and so
does the bandaid.  Together I think your performance would be pretty


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.