lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 9 Dec 2017 07:33:37 +0000
From:   "Sironi, Filippo" <sironi@...zon.de>
To:     Paolo Bonzini <pbonzini@...hat.com>
CC:     Radim Krcmar <rkrcmar@...hat.com>,
        "kvm@...r.kernel.org" <kvm@...r.kernel.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/2] KVM: x86: Allow userspace to define what's the
 microcode version


> On 27. Nov 2017, at 02:40, Paolo Bonzini <pbonzini@...hat.com> wrote:
> 
> On 26/11/2017 17:41, Filippo Sironi wrote:
>> ... that the guest should see.
>> Guest operating systems may check the microcode version to decide whether
>> to disable certain features that are known to be buggy up to certain
>> microcode versions.  Address the issue by making the microcode version
>> that the guest should see settable.
> 
> What's the advantage of specifying the microcode version, rather than
> relying on userspace to drop the CPUID bit for the buggy feature?
> 
>                           old guest(*)         new guest
> 
>   hide in CPUID              good                 good
> 
>   use ucode rev              BAD                  good
> 
> 
> (*) old guest = doesn't know that the feature is buggy until a given
> ucode revision
> 
> Thanks,
> 
> Paolo

On C5 and M5 instances, we're basically exposing the host CPUID with few
exceptions.  Linux (among the others) has checks to make sure that certain
features aren't enabled on a certain family/model/stepping if the microcode
version isn't greater than or equal to a known good version.
apic_check_deadline_errata() in arch/x86/kernel/apic/apic.c is the most
recent example in Linux that I know of (by now you've updated it ;) but
when we got the original bug report that triggered this patch, this wasn't
the case).

By exposing the real microcode version, we're preventing buggy guests that
don't check that they are running virtualized (i.e., they should trust the
hypervisor) from disabling features that are effectively not buggy.

Filippo

>> The rationale for having userspace specifying the microcode version, rather
>> than having the kernel picking it, is to ensure consistency for live-migrated
>> instances; we don't want them to see a microcode version increase without a
>> reset.

Amazon Development Center Germany GmbH
Berlin - Dresden - Aachen
main office: Krausenstr. 38, 10117 Berlin
Geschaeftsfuehrer: Dr. Ralf Herbrich, Christian Schlaeger
Ust-ID: DE289237879
Eingetragen am Amtsgericht Charlottenburg HRB 149173 B

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ