On 2015-11-11 08:07, Paolo Bonzini wrote:
I already knew this, I just hadn't remembered that I hadn't updated Xen since before the XSA and patch for this had been posted (and it took me a while to remember this when I accidentally panicked Xen :))On 11/11/2015 13:47, Austin S Hemmelgarn wrote:I just finished running a couple of tests in a KVM instance running nested on a Xen HVM instance, and found no issues, so for the set as a whole: Tested-by: Austin S. Hemmelgarn <ahferro...@gmail.com> Now to hope the equivalent fix for Xen gets into the Gentoo repositories soon, as the issue propagates down through nested virtualization and ties up the CPU regardless (and in turn triggers the watchdog).Note that nested guests should _not_ lock up the outer (L0) hypervisor if the outer hypervisor has the fix. At least this is the case for KVM: a fixed outer KVM can protect any vulnerable nested (L1) hypervisor from malicious nested guests. A vulnerable outer KVM is also protected if the nested hypervisor has the workaround.
smime.p7s
Description: S/MIME Cryptographic Signature
