From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linutronix.de (193.142.43.55:993) by crypto-ml.lab.linutronix.de with IMAP4-SSL for ; 26 Nov 2019 10:55:29 -0000 Received: from us-smtp-1.mimecast.com ([205.139.110.61] helo=us-smtp-delivery-1.mimecast.com) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1iZYVD-0007Sc-SB for speck@linutronix.de; Tue, 26 Nov 2019 11:55:28 +0100 Received: by mail-wm1-f70.google.com with SMTP id n18so485506wmi.8 for ; Tue, 26 Nov 2019 02:55:24 -0800 (PST) Received: from ?IPv6:2001:b07:6468:f312:5454:a592:5a0a:75c? ([2001:b07:6468:f312:5454:a592:5a0a:75c]) by smtp.gmail.com with ESMTPSA id h97sm15779881wrh.56.2019.11.26.02.55.22 for (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Nov 2019 02:55:22 -0800 (PST) Subject: [MODERATED] Re: LVI References: <20191119174008.7dbymix2eo4mrv57@treble> <20191126005417.GG84886@tassilo.jf.intel.com> From: Paolo Bonzini Message-ID: Date: Tue, 26 Nov 2019 11:55:21 +0100 MIME-Version: 1.0 In-Reply-To: <20191126005417.GG84886@tassilo.jf.intel.com> Content-Type: multipart/mixed; boundary="ijv01DwIUsZJrxwoiINbcrKHEwWC6fPEp"; protected-headers="v1" To: speck@linutronix.de List-ID: This is an OpenPGP/MIME encrypted message (RFC 4880 and 3156) --ijv01DwIUsZJrxwoiINbcrKHEwWC6fPEp Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: quoted-printable On 26/11/19 01:54, speck for Andi Kleen wrote: >=20 > Hi Folks, >=20 > We (well Tony, but he's currently on vacation) did a lot of analysis on= LVI and we > concluded the kernel does not need any new changes. That's why you didn= 't see any > patches from Intel on this. >=20 > Longer story:=20 >=20 > Assists are somewhat messy and can happen in many circumstances. Howeve= r most > are rare and hard to trigger, so if you get them they're typically not = usable > for a high loop count practical side channel. The main exception is the= page A/D > assist which can be triggered in the kernel by *_user() >=20 > *_user is protected by STAC/CLAC already and those have strong enough s= emantics > to stop an LVI attack outside the uaccess region. But of course there a= re CPUs > (pre BDW) which don't have STAC/CLAC. >=20 > But to do anything with LVI you need a Spectre v1 style read gadget. Wi= thout=20 > a gadget the attack is not feasible. And those gadgets are usually Spec= tre v1 > problems, so they would need to be fixed anyways. Don't you need only half of a Spectrev1 gadget (see the Xen advisory at https://xenbits.xen.org/xsa/advisory-289.html and the KVM patch at https://marc.info/?l=3Dkvm&m=3D157444806904659&w=3D2)? Also I assume you= didn't take into account using vmexits as an assist. Paolo --ijv01DwIUsZJrxwoiINbcrKHEwWC6fPEp--