On 15/06/18 23:10, Jiri Kosina wrote: > On Fri, 15 Jun 2018, Juergen Gross wrote: > >> Like it is possible to switch off PTI in the kernel it is possible to do >> the same with XPTI in the hypervisor (it is even possible to disable >> XPTI for dom0 only). >> >> In case XPTI is disabled for the currently running system it is possible >> to make use of Meltdown in user programs to read arbitrary physical host >> memory (i.e. attacking the hypervisor) and this includes the own systems >> kernel memory. >> >> So telling a user the system isn't vulnerable regarding Meltdown when >> running as 64-bit pv-guest might not be the truth. > > Ok, what a mess. > > As I don't think it'd be wise to try to let guest kernel figure out > whether host has XPTI, I'd suggest at least making the message somehow > more informative. Something like > > + if (hypervisor_is_type(X86_HYPER_XEN_PV)) > + return sprintf(buf, "Unknown (XEN PV detected, > hypervisor mitigation required\n"); > > perhaps?
Works for me. Juergen
