| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <DS0PR12MB92737A247219B1EC0BCAFA6494232@DS0PR12MB9273.namprd12.prod.outlook.com> Date: Fri, 22 Nov 2024 17:23:39 +0000 From: "Kaplan, David" <David.Kaplan@....com> To: Brendan Jackman <jackmanb@...gle.com>, "Manwaring, Derek" <derekmn@...zon.com> CC: "bp@...en8.de" <bp@...en8.de>, "canellac@...zon.at" <canellac@...zon.at>, "dave.hansen@...ux.intel.com" <dave.hansen@...ux.intel.com>, "hpa@...or.com" <hpa@...or.com>, "jpoimboe@...nel.org" <jpoimboe@...nel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "mingo@...hat.com" <mingo@...hat.com>, "mlipp@...zon.at" <mlipp@...zon.at>, "pawan.kumar.gupta@...ux.intel.com" <pawan.kumar.gupta@...ux.intel.com>, "peterz@...radead.org" <peterz@...radead.org>, "tglx@...utronix.de" <tglx@...utronix.de>, "x86@...nel.org" <x86@...nel.org> Subject: RE: [PATCH v2 19/35] Documentation/x86: Document the new attack vector controls [AMD Official Use Only - AMD Internal Distribution Only] > -----Original Message----- > From: Brendan Jackman <jackmanb@...gle.com> > Sent: Friday, November 22, 2024 10:37 AM > To: Manwaring, Derek <derekmn@...zon.com> > Cc: Kaplan, David <David.Kaplan@....com>; bp@...en8.de; > canellac@...zon.at; dave.hansen@...ux.intel.com; hpa@...or.com; > jpoimboe@...nel.org; linux-kernel@...r.kernel.org; mingo@...hat.com; > mlipp@...zon.at; pawan.kumar.gupta@...ux.intel.com; > peterz@...radead.org; tglx@...utronix.de; x86@...nel.org > Subject: Re: [PATCH v2 19/35] Documentation/x86: Document the new attack > vector controls > > Caution: This message originated from an External Source. Use proper > caution when opening attachments, clicking links, or responding. > > > On Fri, 22 Nov 2024 at 17:15, Manwaring, Derek <derekmn@...zon.com> > wrote: > > > > On 2024-11-14 at 9:32+0000, Brendan Jackman wrote: > > > On Wed, 13 Nov 2024 at 17:19, Brendan Jackman > <jackmanb@...gle.com> wrote: > > > > A discussion off-list led me to realise that the specifics of this > > > comment are nonsensical, I had L1TF in mind but I don't think you > > > can exploit L1TF in a direct guest->guest attack (I'm probably still > > > missing some nuance there). We wouldn't need to flush L1D there > > > unless there's a new vuln. > > > > With Foreshadow-VMM/CVE-2018-3646 I thought you can do guest- > >guest? > > Since guest completely controls the physical address which ends up > > probing L1D (as if it were a host physical address). > > You are almost certainly right! Agreed, I will update my patches to fix this, so that mitigation is applied if guest->guest protection is requested. Thanks --David Kaplan > > > And agree with the flushes between different restricted address spaces > > (e.g. context switch between guests, right?). > > Yeah basically, although with the RFCv2 I'm gonna be proposing this > "tainting" model where instead of having to flush, in context switch we just > set a flag to say "another MM* might have left data in a sidechannel". Then if > we have that flag set on an asi_enter we flush at that point. > > *We could break that down further too, e.g. whether the thing that left data > behind was a VM guest or a userspace task, if that ever influences what > caches/buffers we wanna burn.
Powered by blists - more mailing lists