[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Me
|
From: |
Michael Roth |
|
Subject: |
Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1 |
|
Date: |
Wed, 14 Feb 2018 08:56:37 -0600 |
|
User-agent: |
alot/0.6 |
Quoting Paolo Bonzini (2018-02-14 04:33:29)
> On 14/02/2018 09:51, Daniel P. Berrangé wrote:
> >> +Please note that, as mentioned in the previous blog post, QEMU/KVM
> >> generally
> >> +has the same requirements as other unpriviledged processes running on the
> >> +host WRT Spectre/Meltdown mitigation.
> >
> > Is this actually still considered accurate wrt the host QEMU ? I was under
> > the believe that life is more complicated for QEMU/KVM wrt Spectre and that
> > it will require more protection than other unpriv processes on the host in
> > some cases.
>
> The plan is for KVM to ensure that QEMU can be treated as yet another
> unprivileged process. Anything else would require applying the same
> care to all of QEMU's dependencies.
Would the following re-wording be reasonable? The main goal of the
statement is to stress that additional patches pertaining to general
host-side security are still needed to secure a QEMU/KVM host, not
so much to suggest that there isn't anything needed beyond that.
-Please note that, as mentioned in the previous blog post, QEMU/KVM generally
-has the same requirements as other unpriviledged processes running on the
-host WRT Spectre/Meltdown mitigation. What is being addressed here is
-enabling a guest operating system to enable the same (or similar) mitigations
-to protect itself from unpriviledged guest processes. Thus, the
-patches/requirements listed here are specific to that goal and should not be
-regarded as the full set of requirements to enable mitigations on the host
-side (though in some cases there is some overlap between the two WRT required
-patches/etc).
+Please note that QEMU/KVM has at least the same requirements as other
+unpriviledged processes running on the host WRT Spectre/Meltdown
+mitigation. What is being addressed here is enabling a guest operating system
+to enable the same (or similar) mitigations to protect itself from
+unpriviledged guest processes. Thus, the patches/requirements listed here are
+specific to that goal and should not be regarded as the full set of
+requirements to enable mitigations on the host side (though in some cases
+there is some overlap between the two WRT required patches/etc).
>
> Paolo
>
- [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Michael Roth, 2018/02/13
- Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Bruce Rogers, 2018/02/13
- Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Daniel P . Berrangé, 2018/02/14
- Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Thomas Huth, 2018/02/14
- Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Cornelia Huck, 2018/02/14
- Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1, Dr. David Alan Gilbert, 2018/02/14