Hello all, I know this is a bit of an old thread, so apologies for being late to the party. :-) I would have a question about this: > > > On 7/12/19 2:36 PM, Peter Zijlstra wrote: > > > > On Fri, Jul 12, 2019 at 02:17:20PM +0200, Alexandre Chartre > > > > wrote: > > > > > On 7/12/19 1:44 PM, Peter Zijlstra wrote: > > > > > > AFAIK3 this wants/needs to be combined with core-scheduling > > > > > > to be > > > > > > useful, but not a single mention of that is anywhere. > > > > > > > > > > No. This is actually an alternative to core-scheduling. > > > > > Eventually, ASI > > > > > will kick all sibling hyperthreads when exiting isolation and > > > > > it needs to > > > > > run with the full kernel page-table (note that's currently > > > > > not in these > > > > > patches). > I.e., about the fact that ASI is presented as an alternative to core-scheduling or, at least, as it will only need integrate a small subset of the logic (and of the code) from core-scheduling, as said here: > I haven't looked at details about what has been done so far. > Hopefully, we > can do something not too complex, or reuse a (small) part of co- > scheduling. > Now, sticking to virtualization examples, if you don't have core- scheduling, it means that you can have two vcpus, one from VM A and the other from VM B, running on the same core, one on thread 0 and the other one on thread 1, at the same time. And if VM A's vcpu, running on thread 0, exits, then VM B's vcpu running in guest more on thread 1 can read host memory, as it is speculatively accessed (either "normally" or because of cache load gadgets) and brought in L1D cache by thread 0. And Indeed I do see how ASI protects us from this attack scenario. However, when the two VMs' vcpus are both running in guest mode, each one on a thread of the same core, VM B's vcpu running on thread 1 can exploit L1TF to peek at and steal secrets that VM A's vcpu, running on thread 0, is accessing, as they're brought into L1D cache... can't it? How can, ASI *without* core-scheduling, prevent this other attack scenario? Because I may very well be missing something, but it looks to me that it can't. In which case, I'm not sure we can call it "alternative" to core-scheduling.... Or is the second attack scenario that I tried to describe above, not considered interesting? Thanks and Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
Attachment:
signature.asc
Description: This is a digitally signed message part