[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH] x86/spec-ctrl: Use IST RSB protection for !SVM systems
- To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
- From: Jan Beulich <jbeulich@xxxxxxxx>
- Date: Fri, 5 Aug 2022 12:49:40 +0200
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=tFhSKgS0YU2BSbGbqtSHBOUUm+kibVkvmZTipaDwR6Q=; b=ZYW23ofAoskmupXZ2h8EusLoMqieO1z4XPZ1rDP1i88i2u8hBs8TrqOgm5v7S0mrlq4dHDWh05iz9KRk9oRgDu06UJvX+XsSW1LH+R37jXxw1usIXnq4UnXjoJFrSmR3xKiZhGx95tV1jXTcTTCJaTcFT1BDDPAcHTAMh4FWadHyv5WYEA37MjtqxcIXPQogLkrQnRmEbi76VoBEES8Zi42DvGJ0v14vjp2N1Bwgsj7kwsQlr2l6rsncbdBDPy0xPVUi9EqKulops/k20Lo089z+gaDZvTqtbnGucTx43vtLFMI+AbhENuygDnZTS4oriKbUn64XrQrlyNAXtve6eg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZjudNiKWHfHPLbFJz3gYTzj/n3ZP5AfdEA4OYAzIqRyYgujN8PH34OAerykrk3o4iUhvKSwZqjG7+93P/KXE6p2frbkj4J9WUaIBvEKifdJNpvNH92DariNMrqMaSWWBS+qveqd+OnvNejGixqFObL9tQ2tmYMN/iVE61Br9ulEaHGSte+Za72547pu+Es6OKjWByF11pLC9gZoYcYqGMS3EN9XjIoSeiaHtJ1b7YW8txC0n69cZPXkatVf40yKl6M/k8HgawuUu9fKtPgepob8q+jWBa0R04kfw3gaIH+ZN0ChEJnTu+Eqrf84f5JZlvwO11OAC7O9XBleAcn1HvA==
- Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
- Cc: Roger Pau Monné <roger.pau@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 05 Aug 2022 10:49:55 +0000
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 05.08.2022 12:38, Andrew Cooper wrote:
> There is a corner case where a VT-x guest which manages to reliably trigger
> non-fatal #MC's could evade the rogue RSB speculation protections that were
> supposed to be in place.
>
> This is a lack of defence in depth; Xen does not architecturally execute more
> RET than CALL instructions, so an attacker would have to locate a different
> gadget (e.g. SpectreRSB) first to execute a transient path of excess RET
> instructions.
>
> Signed-off-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Reviewed-by: Jan Beulich <jbeulich@xxxxxxxx>
|
