[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen and the Intel security vulnerability.

To: Jason Long <hack3rcon@xxxxxxxxx>, David Kahurani <k.kahurani@xxxxxxxxx>, Charles Gonçalves <charles.fg@xxxxxxxxx>
From: Pierre-Philipp Braun <pbraun@xxxxxxxxxxxx>
Date: Fri, 28 Aug 2020 18:20:18 +0200
Cc: "gichini.ngaruiya@xxxxxxxxx" <gichini.ngaruiya@xxxxxxxxx>, "admin@xxxxxxxxxxxxxxxx" <admin@xxxxxxxxxxxxxxxx>, Xen-users <xen-users@xxxxxxxxxxxxxxxxxxxx>
Delivery-date: Fri, 28 Aug 2020 16:38:20 +0000
List-id: Xen user discussion <xen-users.lists.xenproject.org>

On 12.08.2020 19:13, Jason Long wrote:
> Yes.

There are many, many advisories that are related to Intel vulns and Ibelieve, including the more recent ones, not only Spectre & Meltdown.I've read a few of the advisories and it seems there's a performanceimpact, as some optimizations are now disabled by default.

In case you have concerns regarding security, just keeping your setupup-to-date should be good enough, be it using some distro's binaries orfrom source.

In case you are rather concerned about performance, that's anotherstory. I suppose one would need to double-check many options to see ifhe's affected by specific optimization he would like to re-enable. I amthinking of e.g. `smt=1 ept=exec-sp` *1. I myself wonder how dangerousthis is (anybody?). Note there are also embedded mitigations in theLinux kernel, which can be disabled by adding `mitigations=off` as aboot argument *2.


*1 http://xenbits.xen.org/docs/unstable/misc/xen-command-line.html
*2 https://make-linux-fast-again.com/

I would be happy to see another thread or some guide tackling the XENperformance tuning vs security topic, and hopefully some gurus wouldenlighten us (in what situation can we disable those mitigations?).That's just my two cents. I would be glad to proceed with somebenchmarks, though, to measure the negative performance impact of thosemitigations.


Best regards,
--
Pierre-Philipp







On Wednesday, August 12, 2020, 01:08:47 PM GMT+4:30, Charles Gonçalves 
<charles.fg@xxxxxxxxx> wrote:





Are you referring to Spectre and meltdown ?

On Wed, Aug 12, 2020, 05:46 David Kahurani <k.kahurani@xxxxxxxxx> wrote:

On Mon, Aug 03, 2020 at 07:24:11AM +0000, Jason Long wrote:

Hello,When the Intel security vulnerability discovered then how long did it 
take to solve?


Hello

You mean CPU specific bugs? Most bugs/vulnerabilities rely on technicalities 
and are therefore easy to fix/solve.

Thanks.

References:
- Xen and the Intel security vulnerability.
  - From: Jason Long
- Re: Xen and the Intel security vulnerability.
  - From: David Kahurani
- Re: Xen and the Intel security vulnerability.
  - From: Charles Gonçalves
- Re: Xen and the Intel security vulnerability.
  - From: Jason Long

Prev by Date: Re: arm (qemu -M virt) 64 bit xen running 32 bit guest problem
Next by Date: Re: Watchdog triggered while trying to access shared page
Previous by thread: Re: Xen and the Intel security vulnerability.
Next by thread: Is LivePatch ready to use?
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.