[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Xen and the Intel security vulnerability.



On 12.08.2020 19:13, Jason Long wrote:
> Yes.

There are many, many advisories that are related to Intel vulns and I believe, including the more recent ones, not only Spectre & Meltdown. I've read a few of the advisories and it seems there's a performance impact, as some optimizations are now disabled by default.

In case you have concerns regarding security, just keeping your setup up-to-date should be good enough, be it using some distro's binaries or from source.

In case you are rather concerned about performance, that's another story. I suppose one would need to double-check many options to see if he's affected by specific optimization he would like to re-enable. I am thinking of e.g. `smt=1 ept=exec-sp` *1. I myself wonder how dangerous this is (anybody?). Note there are also embedded mitigations in the Linux kernel, which can be disabled by adding `mitigations=off` as a boot argument *2.

*1 http://xenbits.xen.org/docs/unstable/misc/xen-command-line.html
*2 https://make-linux-fast-again.com/

I would be happy to see another thread or some guide tackling the XEN performance tuning vs security topic, and hopefully some gurus would enlighten us (in what situation can we disable those mitigations?). That's just my two cents. I would be glad to proceed with some benchmarks, though, to measure the negative performance impact of those mitigations.

Best regards,
--
Pierre-Philipp







On Wednesday, August 12, 2020, 01:08:47 PM GMT+4:30, Charles Gonçalves 
<charles.fg@xxxxxxxxx> wrote:





Are you referring to Spectre and meltdown ?

On Wed, Aug 12, 2020, 05:46 David Kahurani <k.kahurani@xxxxxxxxx> wrote:
On Mon, Aug 03, 2020 at 07:24:11AM +0000, Jason Long wrote:
Hello,When the Intel security vulnerability discovered then how long did it 
take to solve?

Hello

You mean CPU specific bugs? Most bugs/vulnerabilities rely on technicalities 
and are therefore easy to fix/solve.


Thanks.





 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.