lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1515602823.22302.210.camel@infradead.org>
Date:   Wed, 10 Jan 2018 16:47:03 +0000
From:   David Woodhouse <dwmw2@...radead.org>
To:     Liran Alon <liran.alon@...cle.com>
Cc:     konrad.wilk@...cle.com, jmattson@...gle.com, x86@...nel.org,
        bp@...en8.de, nadav.amit@...il.com, thomas.lendacky@....com,
        aliguori@...zon.com, arjan@...ux.intel.com, rkrcmar@...hat.com,
        pbonzini@...hat.com, linux-kernel@...r.kernel.org,
        kvm@...r.kernel.org
Subject: Re: [PATCH 3/8] kvm: vmx: pass MSR_IA32_SPEC_CTRL and
 MSR_IA32_PRED_CMD down to the guest

On Wed, 2018-01-10 at 08:19 -0800, Liran Alon wrote:
> 
> (1) On VMEntry, Intel recommends to just restore SPEC_CTRL to guest
> value (using WRMSR or MSR save/load list) and that's it. As I
> previously said to Jim, I am missing here a mechanism which should be
> responsible for hiding host's BHB & RSB from guest. Therefore, guest
> still have the possibility to info-leak host's kernel module
> addresses (kvm-intel.ko / kvm.ko / vmlinux).

How so?

The host has the capability to attack the guest... but that's not an
interesting observation.

I'm not sure why you consider it an information leak to have host
addresses in the BTB/RSB when the guest is running; it's not like they
can be *read* from there. Perhaps you could mount a really contrived
attack where you might attempt to provide your own spec-leak code at
various candidate addresses that you think might be host BTB targets,
and validate your assumptions... but I suspect basic cache-based
observations were easier than that anyway.

I don't think this is a consideration.

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (5213 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ