On Mon, 2019-04-15 at 07:17 -0700, PGNet Dev wrote: > On 4/15/19 3:08 AM, Dario Faggioli wrote: > > > > > > What's missing in my config to mitigate/remove the CVE-2018-3646 > > > vulnerability? > > > > > There's nothing you're missing, as far as I can tell. What the > > problem > > seems to be, is that spectre-and-meltdown-checker.sh does not treat > > the > > case of this check being made within a Xen (PV) guest properly. > > > > I'll check whether this is actually the case, and I'll to see about > > fixing that, as soon as I find a minute. > > Thanks. > So, I finally gave a look at the spectre-meltdown-checker.sh source.
IMO, figuring out whether or not we're running on a system which we can call "an hypervisor", is kind of broken, for both Xen and KVM. This affects the meaningfulness of what the tool reports about L1TF quite a bit. I had a go at fixing a few things, mostly for KVM, though. I have a branch here: https://github.com/dfaggioli/spectre-meltdown-checker/tree/l1tf-host (and I did send the pull request... let's see if the author likes my changes). I started to look at the Xen side of things, but then found this: https://github.com/h0nIg/spectre-meltdown-checker/tree/xen I still haven't tried, nor checked the patches thoroughly, but I'll give it a look and see if we they're fine (and, probably, base any future work on at least some of them). But that won't happen before the end of next week. Regards -- Dario Faggioli, Ph.D http://about.me/dario.faggioli Virtualization Software Engineer SUSE Labs, SUSE https://www.suse.com/ ------------------------------------------------------------------- <<This happens because _I_ choose it to happen!>> (Raistlin Majere)
signature.asc
Description: This is a digitally signed message part
