[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/pv: Enable pv-l1tf mitigations for dom0 by default

>>> On 31.01.19 at 14:59, <andrew.cooper3@xxxxxxxxxx> wrote:
> At the time XSA-273 was published, shadowing dom0 had proved to be unstable,
> which is why dom0 was unprotected by default.  The instability was identified
> to be problems with shadowing PV superpages, and fixed.
> In hindsight, this patch should have been posted at the same time.
> There is now no legitimate reason to handle dom0 differently to domu when it
> comes to pv-l1tf protections.

I'm not entirely convinced by this statement: Crashing Dom0
(and hence the entire host) because of a failure to enable
shadow mode on it is not a good thing imo. What's wrong
with sticking to the current default, just for reasons other
than the original one? Anything malicious running in Dom0
has easier (or at least different) ways of getting at the same


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.