[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-devel] [qemu-web PATCH] improved phrasing regarding Meltdown and l
From: |
Paolo Bonzini |
Subject: |
[Qemu-devel] [qemu-web PATCH] improved phrasing regarding Meltdown and live migration |
Date: |
Fri, 5 Jan 2018 15:08:11 +0100 |
---
_posts/2018-01-04-spectre.md | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/_posts/2018-01-04-spectre.md b/_posts/2018-01-04-spectre.md
index 5bbc7ed..ca11324 100644
--- a/_posts/2018-01-04-spectre.md
+++ b/_posts/2018-01-04-spectre.md
@@ -13,11 +13,13 @@ named _Meltdown_ and _Spectre_, affect in one way or
another almost
all processors that perform out-of-order execution, including x86 (from
Intel and AMD), POWER, s390 and ARM processors.
-No microcode updates are required to block the _Meltdown_ attack; it is
-enough to update the guest operating system to a version that separates
-the user and kernel address spaces (known as _page table isolation_ for
-the Linux kernel). Therefore, this post will focus on _Spectre_, and
-especially on
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715).
+No microcode updates are required to block the _Meltdown_ attack. In
+addition, the _Meltdown_ flaw does not allow a malicious guest to read the
+contents of hypervisor memory. Fixing it only requires that the operating
+system separates the user and kernel address spaces (known as _page table
+isolation_ for the Linux kernel), which can be done separately on the host
+and the guests. Therefore, this post will focus on _Spectre_, and especially
+on
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715).
Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular,
requires cooperation between the processor and the operating system kernel or
@@ -52,9 +54,10 @@ host from malicious guests__. Nevertheless, updates will be
posted to the
qemu-devel mailing list in the next few days, and a 2.11.1 patch release
will be released with the fix.
-Once updates are provided, __live migration will not be enough to protect
-guest kernel from guest userspace__. Because the virtual CPU has to be
-changed to one with the new CPUID bits, the guest will have to be restarted.
+Once updates are provided, __live migration to an updated version of
+QEMU will not be enough to protect guest kernel from guest userspace__.
+Because the virtual CPU has to be changed to one with the new CPUID bits,
+the guest will have to be restarted.
As of today, the QEMU project is not aware of whether similar changes will
be required for non-x86 processors. If so, they will also posted to the
@@ -67,4 +70,5 @@
Zero](https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-wi
posts on the topic, as well as the [Spectre and Meltdown
FAQ](https://meltdownattack.com/#faq).
__5 Jan 2018__: clarified the level of protection provided by the host kernel
-update; added a note on live migration.
+update; added a note on live migration; clarified the impact of Meltdown on
+virtualization hosts
--
2.14.3
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-devel] [qemu-web PATCH] improved phrasing regarding Meltdown and live migration,
Paolo Bonzini <=