On Wed, 2018-01-10 at 08:19 -0800, Liran Alon wrote: > > (1) On VMEntry, Intel recommends to just restore SPEC_CTRL to guest > value (using WRMSR or MSR save/load list) and that's it. As I > previously said to Jim, I am missing here a mechanism which should be > responsible for hiding host's BHB & RSB from guest. Therefore, guest > still have the possibility to info-leak host's kernel module > addresses (kvm-intel.ko / kvm.ko / vmlinux). How so? The host has the capability to attack the guest... but that's not an interesting observation. I'm not sure why you consider it an information leak to have host addresses in the BTB/RSB when the guest is running; it's not like they can be *read* from there. Perhaps you could mount a really contrived attack where you might attempt to provide your own spec-leak code at various candidate addresses that you think might be host BTB targets, and validate your assumptions... but I suspect basic cache-based observations were easier than that anyway. I don't think this is a consideration.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
