On Wed, 2018-01-10 at 08:51 -0800, Liran Alon wrote: > > Hmm... This is exactly how Google Project-Zero PoC leaks kvm- > intel.ko, kvm.ko & vmlinux... > See section "Locating the host kernel" here: > https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-m > emory-with-side.html > > This was an important primitive in order for them to actually launch > the attack of reading host's memory pages. As they needed the > hypervisor addresses such that they will be able to later poison the > BTB/BHB to gadgets residing in known host addresses. Ah, joy. I'm not sure that leak is being plugged. Even setting IBRS=1 when entering the guest isn't guaranteed to plug it, as it's only defined to prevent predictions from affecting a *more* privileged prediction mode than they were 'learned' in. Maybe IBPB would suffice? I'm not sure.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature