Re: [Xen-devel] Xen Project Spectre/Meltdown FAQ

[Andrew Cooper <andrew.cooper3@xxxxxxxxxx>]

On 12/01/18 17:17, Nathan March wrote:
>>> In the matrix I see "Is a user space attack on the guest kernel possible
>>> (when running in a Xen VM)?" For PVH (and HVM) = Yes[1] where [1]
>>> Impacts Intel CPUs only.
>>>
>>> Is there any mitigation for this?  i.e. How to protect a guest VM from
>>> its own userspace processes.
>> That part is handled by the kernel inside the guest. Xen doesn't see
>> that happening.
>>
>> It's for example the KPTI/KAISER patches that got into the linux kernels
>> now.
> The most recent update to XSA-254 seems to clearly state that the kernel KPTI 
> patches will not protect the guest from itself with the shim installed:
>
>> PV-in-PVH/HVM shim approach leaves *guest* vulnerable to Meltdown
>> attacks from its unprivileged users, even if the guest has KPTI
>> patches.  That is, guest userspace can use Meltdown to read all memory
>> in the same guest.
> So the questions remains, how do you protect a guest from a malicious user 
> inside of it?

Switch it to being an HVM/PVH guest, and use Linux's KPTI, or wait to
see if we can sensibly implement XPTI.

A PV executes just like a userspace process under native Linux.  The
architecture means that Xen owns the pagetables, but that the guest
kernel controls the content (albeit, audited) of the pagetables.

A full and proper fix for SP3/Meltdown for PV guests can only come from
a change in Xen.  Otherwise, it is like expecting that a change in
systemd would be able to make your native system secure to SP3/Meltdown.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel