On Wed, 26 Jun 2019, Paolo Bonzini wrote: > On 26/06/19 14:41, Thomas Gleixner wrote: > >> I think it's better to leave the guest in control of SSBD even if it's > >> globally disabled. The harm cannot escape the guest and in particular > >> it cannot escape to the sibling hyperthread. > > > > SSB allows guest to guest attacks IIRC > > SSB requires something like > > p = &foo; > ... > p = &bar; > q = *p; > > where "p = &foo;" is executed from one privilege domain and the others > are executed by another process or privilege domain. Unless two guests > share memory, it is not possible to use it for guest-to-guest attacks. Fair enough. It's way too hot to think clearly about these kind of problems and there are simply way too many of them... Thanks, tglx
