*putting my tinfoil hat on* After thinking a little bit more, the observable behavior is a quite good match for a bios-level hypervisor (hardware trojan in a modern terminology), as it likely is sensitive to timing[1], does not appear more than once per VM during boot cycle and seemingly does not regard a fact if kvm-intel was reloaded once or twice (or more) and not reproducible outside of domain of a single board model. If nobody has a better suggestions to try on, I`ll do a couple of steps in a next days: - extract and compare bios to the vendor`s image with SPI programmer, - extract and compare BMC image with public version (should be easy as well), - try to analyze switch timings by writing sample code for a bare hardware (there can be a hint that the L2 Linux guest can expose larger execution time difference with L1 on host with top-level hypervisor than on supposedly 'non-infected' one), - try to analyze binary BIOS code itself, though it can be VERY problematic, I am even not talking for same possibility for BMC.
Sorry for posting such a naive and stupid stuff in the public ml, but I am really out of clues of what`s happening there and why it is not reproducible anywhere else. 1. https://xakep.ru/2011/12/26/58104/ (russian text, but can be read through g-translate without lack of details) -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
