From: Wei Liu <wei.liu2@citrix.com>
To: Andy Smith <andy@strugglers.net>
Cc: xen-devel <xen-devel@lists.xenproject.org>,
Wei Liu <wei.liu2@citrix.com>, Jan Beulich <JBeulich@suse.com>
Subject: Re: [PATCH v3 1/2] x86: Meltdown band-aid against malicious 64-bit PV guests
Date: Tue, 16 Jan 2018 19:02:51 +0000 [thread overview]
Message-ID: <20180116190251.m3n2z77y4jgdmle6@citrix.com> (raw)
In-Reply-To: <20180116172840.GF29360@bitfolk.com>
On Tue, Jan 16, 2018 at 05:28:40PM +0000, Andy Smith wrote:
> Hi Jan,
>
> On Tue, Jan 16, 2018 at 08:21:52AM -0700, Jan Beulich wrote:
> > This is a very simplistic change limiting the amount of memory a running
> > 64-bit PV guest has mapped (and hence available for attacking): Only the
> > mappings of stack, IDT, and TSS are being cloned from the direct map
> > into per-CPU page tables.
>
> Can this be used with Comet/Vixen to further protect PV guests? i.e.
> if the shim hypervisor has these changes then will it also limit
> what a process in the PV guest can see in that shim hypervisor,
> which therefore protects its own guest kernel a bit too?
>
Yes, but please be warned that the guest is very very slow. I don't
think XPTI + shim is very usable at this stage.
If you're interested in trying that out, check out staging branch and
build a shim from there.
Wei.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2018-01-16 19:03 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-15 11:01 [PATCH v2 0/2] x86: initial simplistic Meltdown mitigation Jan Beulich
2018-01-15 11:06 ` [PATCH v2 1/2] x86: Meltdown band-aid against malicious 64-bit PV guests Jan Beulich
2018-01-15 18:23 ` Andrew Cooper
2018-01-16 7:46 ` Jan Beulich
2018-01-16 11:51 ` Andrew Cooper
2018-01-16 12:33 ` Jan Beulich
2018-01-16 13:26 ` Andrew Cooper
2018-01-16 9:33 ` Jan Beulich
2018-01-16 11:56 ` Andrew Cooper
2018-01-16 12:25 ` Jan Beulich
2018-01-15 11:07 ` [PATCH v2 2/2] x86: allow Meltdown band-aid to be disabled Jan Beulich
2018-01-15 18:26 ` Andrew Cooper
2018-01-16 8:12 ` Jan Beulich
2018-01-16 13:20 ` Andrew Cooper
2018-01-16 13:51 ` Jan Beulich
2018-01-16 12:12 ` George Dunlap
2018-01-16 12:21 ` Juergen Gross
2018-01-16 12:39 ` George Dunlap
2018-01-16 12:35 ` Jan Beulich
2018-01-16 12:40 ` George Dunlap
2018-01-16 15:16 ` [PATCH v3 0/2] x86: initial simplistic Meltdown mitigation Jan Beulich
2018-01-16 15:21 ` [PATCH v3 1/2] x86: Meltdown band-aid against malicious 64-bit PV guests Jan Beulich
2018-01-16 16:05 ` Andrew Cooper
2018-01-16 17:28 ` Andy Smith
2018-01-16 18:02 ` George Dunlap
2018-01-16 18:13 ` Andrew Cooper
2018-01-16 19:02 ` Wei Liu [this message]
2018-01-16 15:22 ` [PATCH v3 2/2] x86: allow Meltdown band-aid to be disabled Jan Beulich
2018-01-16 16:07 ` Andrew Cooper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180116190251.m3n2z77y4jgdmle6@citrix.com \
--to=wei.liu2@citrix.com \
--cc=JBeulich@suse.com \
--cc=andy@strugglers.net \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.