RE: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok

From: David Laight
Date: Mon Jan 08 2018 - 07:32:45 EST

Next message: Michal Simek: "Re: [PATCH] soc: xilinx: Create folder structure for soc specific drivers"
Previous message: Michal Simek: "Re: [PATCH] media: v4l: xilinx: Use SPDX-License-Identifier"
In reply to: Alan Cox: "Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok"
Next in thread: Dan Williams: "Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Alan Cox
> Sent: 08 January 2018 12:13
...
> > Try over 35% slowdown....
> > Given that AWS instance runs known code (user and kernel) why do we
> > need to worry about any of these sideband attacks?
>
> You may not need to. Amazon themselves obviously need to worry that no
> other VM steals your data (or vice versa) but above that (and with raw
> hardware appliances) if you control all the code you run then the nopti
> and other disables may be useful (At the end of the day as with anything
> else you do your own risk assessment).

I believe AWS allows VM kernels to load user-written device drivers
so the security of other VMs cannot rely on whether a VM is booted
with PTI=yes or PTI=no.

David

Next message: Michal Simek: "Re: [PATCH] soc: xilinx: Create folder structure for soc specific drivers"
Previous message: Michal Simek: "Re: [PATCH] media: v4l: xilinx: Use SPDX-License-Identifier"
In reply to: Alan Cox: "Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok"
Next in thread: Dan Williams: "Re: [PATCH 06/18] x86, barrier: stop speculation for failed access_ok"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]