Mailinglist Archive: opensuse-security (6 mails)

< Previous Next >
[opensuse-security] Re: [opensuse-virtual] How to correctly configure mitigation of CVE-2018-3646 'Foreshadow-NG (VMM)' on Xen Dom0 host?
On 4/15/19 10:49 AM, Dario Faggioli wrote:
On Mon, 2019-04-15 at 09:59 -0700, PGNet Dev wrote:
It's pretty much what we do by default, which might be seen as a good
sign, I guess.

*Suse also enables "IBPB" by default. is that (still) correct?

Which I'd like to NOT take the purported ~20% performance hit for, and believe I've correctly (?) DISabled with adding:

spectre_v2=retpoline,generic

to my grub config's kernel command line

Well, not quite. :-/

In fact, this is from inside a guest. In order for things to be 100%
safe, hyperthreading should be disabled at the _host_ level, which is
something that the guest can't know.

Actually, the guest can't know for sure whether or not the underlying
host it is running on has L1D flush supported and enabled either.

So, I think it is calling it "NOT VULNERABLE" on the ground, e.g., that
, as it says, "this system is not running an hypervisor". But that is
going to be true for any VM, unless one is using nested virtualization.

If that's the case, the whole 'Foreshadow-NG (VMM)' block appears to be
rather bogous... but I really want to speak only after having checked
the code. :-)

Understood.

Also, I *did* see a KVM host-side change (namely, an upgrade to a fully patched Host) that switched the reporting of Variant 3a & 4 vulnerabilities from VULNERABLE ==> NOT VULNERABLE, in the guest.

Which I believe is expected.


--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
This Thread