Quoting Paolo Bonzini (2018-02-14 04:33:29) > On 14/02/2018 09:51, Daniel P. Berrangé wrote: > >> +Please note that, as mentioned in the previous blog post, QEMU/KVM > >> generally > >> +has the same requirements as other unpriviledged processes running on the > >> +host WRT Spectre/Meltdown mitigation. > > > > Is this actually still considered accurate wrt the host QEMU ? I was under > > the believe that life is more complicated for QEMU/KVM wrt Spectre and that > > it will require more protection than other unpriv processes on the host in > > some cases. > > The plan is for KVM to ensure that QEMU can be treated as yet another > unprivileged process. Anything else would require applying the same > care to all of QEMU's dependencies.
Would the following re-wording be reasonable? The main goal of the statement is to stress that additional patches pertaining to general host-side security are still needed to secure a QEMU/KVM host, not so much to suggest that there isn't anything needed beyond that. -Please note that, as mentioned in the previous blog post, QEMU/KVM generally -has the same requirements as other unpriviledged processes running on the -host WRT Spectre/Meltdown mitigation. What is being addressed here is -enabling a guest operating system to enable the same (or similar) mitigations -to protect itself from unpriviledged guest processes. Thus, the -patches/requirements listed here are specific to that goal and should not be -regarded as the full set of requirements to enable mitigations on the host -side (though in some cases there is some overlap between the two WRT required -patches/etc). +Please note that QEMU/KVM has at least the same requirements as other +unpriviledged processes running on the host WRT Spectre/Meltdown +mitigation. What is being addressed here is enabling a guest operating system +to enable the same (or similar) mitigations to protect itself from +unpriviledged guest processes. Thus, the patches/requirements listed here are +specific to that goal and should not be regarded as the full set of +requirements to enable mitigations on the host side (though in some cases +there is some overlap between the two WRT required patches/etc). > > Paolo >
