Hi Vitaly, I just watched your FOSDEM talk on CPU vulnerabilities in public clouds: https://mirror.cyberbits.eu/fosdem/2020/H.1309/vai_pubic_clouds_and_vulnerable_cpus.webm If I understand correctly the situation for cloud users is: 1. The cloud provider takes care of hypervisor and CPU microcode fixes but the instance may still be vulnerable to inter-process or guest kernel attacks. 2. /sys/devices/system/cpu/vulnerabilities lists vulnerabilities that the guest kernel knows about. This might be outdated if new vulnerabilities have been discovered since the kernel was installed. False negatives are possible where your slides show the guest kernel thinks there is no mitigation but you suspect the cloud provider has a fix in place. 3. Cloud users still need to learn about every vulnerability to understand whether inter-process or guest kernel attacks are possible. Overall this seems to leave cloud users in a bad situation. They still need to become experts in each vulnerability and don't have reliable information on their protection status. Users with deep pockets will pay someone to do the work for them. For many users the answer will probably be to apply guest OS updates and hope for the best? :( It would be nice if /sys/devices/system/cpu/vulnerabilities was at least accurate... Do you have any thoughts on improving the situation for users? Stefan
