On 4/15/19 9:34 AM, Dario Faggioli wrote:

point is this: - exploiting L1TF, it may be possible to read the host physical RAM from inside a VM. This means malicious code running inside a VM can read the memory of other applications inside the same VM, of other VMs and also of the hypervisor. It is not entirely trivial, even without mitigations applied, but it's possible, and proofs of contept do exist; - for Xen PV guests, if the guest has "PTE Inversion" and Xen has pv-l1tf enabled, the problem is fully mitigated; - for Xen HVM guests or KVM guests, on system without hyperthreading (or with hyperthreading properly disabled), if L1D flush is supported (by hardware and hypervisor) and enabled, the problem is fully mitigated; - for Xen HVM guests or KVM guests, on system with hypetrheading, the problem can't be fully mitigated.

That's really clear. And the 1st time I've read it all, so succinctly stated, in one place. It would, IMO, be very helpful on a 'Spectre on *Suse' doc/wiki page. atm, on this particular host, my Xen cmd line includes: spec-ctrl=ssbd,l1d-flush=true pv-l1tf=dom0=true,domu=true smt=true which may, or not, be overkill/risky; still need to do some reading up on the relative merits.

For KVM guests and Xen HVM guests, can you paste the full output of the section "CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault'" ?

Don't have a Xen HVM up right at the moment. For KVM guest (@ Linode, fwiw), spectre-meltdown-checker.sh ... CVE-2018-3646 aka 'Foreshadow-NG (VMM), L1 terminal fault' * Information from the /sys interface: * This system is a host running an hypervisor: NO * Mitigation 1 (KVM) * EPT is disabled: N/A (the kvm_intel module is not loaded) * Mitigation 2 * L1D flush is supported by kernel: YES (found flush_l1d in kernel image) * L1D flush enabled: UNKNOWN (unrecognized mode) * Hardware-backed L1D flush supported: NO (flush will be done in software, this is slower) * Hyper-Threading (SMT) is enabled: NO > STATUS: NOT VULNERABLE (this system is not running an hypervisor) > SUMMARY: CVE-2017-5753:OK CVE-2017-5715:OK CVE-2017-5754:OK CVE-2018-3640:OK CVE-2018-3639:OK CVE-2018-3615:OK CVE-2018-3620:OK CVE-2018-3646:OK IIUC from your comments above, the apparently *dis*abled SMT hyperthreading leads, in this case, to the mitigation STATUS ==> NOT VULNERABLE -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org