On Apr 14, 2013 1:27 PM, "Michael Mol" <mike...@gmail.com> wrote: > > On 04/14/2013 01:55 AM, Pandu Poluan wrote: > > > > On Apr 14, 2013 1:42 AM, "Michael Mol" <mike...@gmail.com > > <mailto:mike...@gmail.com>> wrote: > >> > > [snip] > > > > > What I meant was: given 4 physical AMD cores (but only 2 FPUs, courtesy > > of AMD's Bulldozer/Piledriver arch) vs 4 virtual Intel cores (2 cores > > split into 4 by Hyperthreading), I undoubtedly prefer 4 physical ones. > > > > (Of course if the Intel CPU has 4 pphysical cores, it should be compared > > with an 8-core AMD CPU). > > > > I had some lively discussion on AMD vs Intel *for virtualization* in the > > Gentoo Community on Google+, which referenced a thread on ServerFault. > > The conclusion was: Intel CPUs (provided they support VT-x) can run > > baremetal virtualization as well as AMD, in the majority of cases. > > > > It's the minority of cases -- edge cases -- that I'm concerned with. > > And, lacking the money to actually buy 2 complete systems to perform > > comparison, I'll take the safe route anytime. > > > > Yes, Intel's top-of-the-line processors might be faster than AMD's, but > > the latter is cheaper, and exhibited a much more 'stable' performance > > (i.e., no edge cases to bite me later down the road). > > > > That said, I read somewhere about the 'misimplementation' of some > > hypercalls in Intel CPUs... in which some hypercall exceptions are > > mistakenly handled by the Ring 0 hypervisor instead of the Ring 1 guest > > OS, thus enabling someone to 'break out' of the VM's space. This > > misimplementation is exploitable on KVM and Xen (the latter, my > > preferred baremetal virtualization). > > That's actually very interesting. I hadn't heard about this. >
Here you go: http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/ It's CVE-2012-0217, and the guys from vupen actually has created a working proof: http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php Rgds, --