Re: [RFC PATCH v4 00/19] Core scheduling v4

From: Tim Chen
Date: Tue Mar 17 2020 - 17:58:32 EST

Next message: Horia GeantÄ: "Re: [PATCH v8 4/8] crypto: caam - simplify RNG implementation"
Previous message: Horia GeantÄ: "Re: [PATCH v8 8/8] crypto: caam - limit single JD RNG output to maximum of 16 bytes"
In reply to: Thomas Gleixner: "Re: [RFC PATCH v4 00/19] Core scheduling v4"
Next in thread: Joel Fernandes: "Re: [RFC PATCH v4 00/19] Core scheduling v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 3/17/20 2:17 PM, Thomas Gleixner wrote:

>> The interrupt handler will be run with PTE inverted. So I don't think
>> there's a leak via L1TF in this scenario.
>
> How so?
>
> Host memory is attackable, when one of the sibling SMT threads runs in
> host OS (hypervisor) context and the other in guest context.
>
> HT1 is in guest mode and attacking (has control over PTEs). HT2 is
> running in host mode and executes an interrupt handler. The host PTE
> inversion does not matter in this scenario at all.
>
> So HT1 can very well see data which is brought into the shared L1 by
> HT2.
>
> The only way to mitigate that aside of disabling HT is disabling EPT.
>

I had a brain lapse. Yes, PTE inversion is for mitigating against malicious
user space code, not for malicious guest.

Thanks for the correction.

Tim

Next message: Horia GeantÄ: "Re: [PATCH v8 4/8] crypto: caam - simplify RNG implementation"
Previous message: Horia GeantÄ: "Re: [PATCH v8 8/8] crypto: caam - limit single JD RNG output to maximum of 16 bytes"
In reply to: Thomas Gleixner: "Re: [RFC PATCH v4 00/19] Core scheduling v4"
Next in thread: Joel Fernandes: "Re: [RFC PATCH v4 00/19] Core scheduling v4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]