> > In the matrix I see "Is a user space attack on the guest kernel possible > > (when running in a Xen VM)?" For PVH (and HVM) = Yes[1] where [1] > > Impacts Intel CPUs only. > > > > Is there any mitigation for this? i.e. How to protect a guest VM from > > its own userspace processes. > > That part is handled by the kernel inside the guest. Xen doesn't see > that happening. > > It's for example the KPTI/KAISER patches that got into the linux kernels > now.
The most recent update to XSA-254 seems to clearly state that the kernel KPTI patches will not protect the guest from itself with the shim installed: > PV-in-PVH/HVM shim approach leaves *guest* vulnerable to Meltdown > attacks from its unprivileged users, even if the guest has KPTI > patches. That is, guest userspace can use Meltdown to read all memory > in the same guest. So the questions remains, how do you protect a guest from a malicious user inside of it? Is it really the case that the *only* full solution to move to xen 4.10 and guest kernel 4.11?! Cheers, Nathan _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
