> On 5 Jan 2018, at 15:55, Hans van Kranenburg <h...@knorrie.org> wrote: > > On 01/05/2018 12:35 PM, Lars Kurth wrote: >> Hi all, this is a repost of >> https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ >> <https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/> >> for xen-users/xen-devel. If you have questions, please reply to this >> thread and we will try and improve the FAQ based on questions. >> Regards Lars > > Thanks for the writeup. > > The main reason for the reader to get confused is the amount of > different combinations of situations that are possible, which all again > have their own set of vulnerabilities and also their own (maybe even > different) set of possibilities to be used as environment for executing > an attack. > > So let's help them by being more explicit.
That sounds reasonable >> On Intel processors, only 64-bit PV mode guests can attack Xen. > > "On Intel processors an attack at Xen using SP3 can only be done by > 64-bit PV mode guests." > > Even if it looks super-redundant, I think keeping explicit information > in every sentence is preferable, so they cannot be misinterpreted or > accidentally be taken out of context. Alright: I think I prefer "On Intel processors, only 64-bit PV mode guests can attack Xen using SP3." > >> Guests running in 32-bit PV mode, HVM mode, and PVH >> mode cannot attack the hypervisor using SP3. However, in 32-bit PV >> mode, HVM mode, and PVH mode, guest userspaces can attack guest >> kernels using SP3; so updating guest kernels is advisable. > >> Interestingly, guest kernels running in 64-bit PV mode are not >> vulnerable to attack using SP3, because 64-bit PV guests already run >> in a KPTI-like mode. > > Like Juergen already mentioned, additionally: "However, keep in mind > that a succesful attack on the hypervisor can still be used to recover > information about the same guest from physical memory." Good suggestion. >> >> = Does Xen have any equivalent to Linux’s KPTI series? = >> >> Linux’s KPTI series is designed to address SP3 only. > > This one... > >> For Xen guests, only 64-bit PV guests are affected by SP3. > > ...should be more explicit. The words "affected" and "impacted" do not > tell the reader if it's about being an attacker, or about being the > victim and what is attacked or attacking. > > "For Xen guests, only 64-bit PV guests are able to execute a SP3 attack > against the hypervisor." Sounds fine I will update the blog post sometimes tomorrow or Monday. There were a few further comments, which may be worth rolling into a change Lars
_______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
