Re: [PATCH 3/8] kvm: vmx: pass MSR_IA32_SPEC_CTRL and MSR_IA32_PRED_CMD down to the guest

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2018-01-10 at 08:51 -0800, Liran Alon wrote:
> 
> Hmm... This is exactly how Google Project-Zero PoC leaks kvm-
> intel.ko, kvm.ko & vmlinux...
> See section "Locating the host kernel" here:
> https://googleprojectzero.blogspot.co.il/2018/01/reading-privileged-m
> emory-with-side.html
> 
> This was an important primitive in order for them to actually launch
> the attack of reading host's memory pages. As they needed the
> hypervisor addresses such that they will be able to later poison the
> BTB/BHB to gadgets residing in known host addresses.

Ah, joy. I'm not sure that leak is being plugged. Even setting IBRS=1
when entering the guest isn't guaranteed to plug it, as it's only
defined to prevent predictions from affecting a *more* privileged
prediction mode than they were 'learned' in.

Maybe IBPB would suffice? I'm not sure.

Attachment: smime.p7s
Description: S/MIME cryptographic signature


[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux