| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 11 Apr 2024 17:20:30 +0200 From: Paolo Bonzini <pbonzini@...hat.com> To: Alexandre Chartre <alexandre.chartre@...cle.com> Cc: Andrew Cooper <andrew.cooper3@...rix.com>, x86@...nel.org, kvm@...r.kernel.org, linux-kernel@...r.kernel.org, daniel.sneddon@...ux.intel.com, pawan.kumar.gupta@...ux.intel.com, tglx@...utronix.de, konrad.wilk@...cle.com, peterz@...radead.org, gregkh@...uxfoundation.org, seanjc@...gle.com, dave.hansen@...ux.intel.com, nik.borisov@...e.com, kpsingh@...nel.org, longman@...hat.com, bp@...en8.de Subject: Re: [PATCH] KVM: x86: Set BHI_NO in guest when host is not affected by BHI On Thu, Apr 11, 2024 at 5:13 PM Alexandre Chartre <alexandre.chartre@...cle.com> wrote: > I think that Andrew's concern is that if there is no eIBRS on the host then > we do not set X86_BUG_BHI on the host because we know the kernel which is > running and this kernel has some mitigations (other than the explicit BHI > mitigations) and these mitigations are enough to prevent BHI. But still > the cpu is affected by BHI. Hmm, then I'm confused. It's what I wrote before: "The (Linux or otherwise) guest will make its own determinations as to whether BHI mitigations are necessary. If the guest uses eIBRS, it will run with mitigations" but you said machines without eIBRS are fine. If instead they are only fine _with Linux_, then yeah we cannot set BHI_NO in general. What we can do is define a new bit that is in the KVM leaves. The new bit is effectively !eIBRS, except that it is defined in such a way that, in a mixed migration pool, both eIBRS and the new bit will be 0. Paolo
Powered by blists - more mailing lists