Re: [PATCH] x86/pti: don't report XenPV as vulnerable

[Juergen Gross]

On 15/06/18 08:39, Jiri Kosina wrote:
> On Fri, 15 Jun 2018, Juergen Gross wrote:
> 
>> Why? PTI has to be disabled in PV guests as it can't work there due to 
>> missing paravirtualization of the PTI feature (mov to/from %cr3).
>>
>> The Xen meltdown mitigation ("XPTI") for 64-bit pv guests is primarily 
>> securing the hypervisor against meltdown attacks of the guest. The guest 
>> itself can't do anything in this regard in 64-bit mode, as user and 
>> kernel code are already using different %cr3 values even without PTI.
> 
> That I know. Then I am probably dense today, but could you please again 
> explain what you meant by this in your first reply:
> 
> 	"This is wrong for [ ... ] for 64-bit, too, in case the mitigation is 
> 	 disabled at hypervisor level."
> 

Like it is possible to switch off PTI in the kernel it is possible to do
the same with XPTI in the hypervisor (it is even possible to disable
XPTI for dom0 only).

In case XPTI is disabled for the currently running system it is possible
to make use of Meltdown in user programs to read arbitrary physical host
memory (i.e. attacking the hypervisor) and this includes the own systems
kernel memory.

So telling a user the system isn't vulnerable regarding Meltdown when
running as 64-bit pv-guest might not be the truth.


Juergen