On Wednesday, January 17, 2018 at 10:29:18 PM UTC+1, Ilpo Järvinen wrote: > On Wed, 17 Jan 2018, Lorenzo Lamas wrote: > > > On Thursday, January 11, 2018 at 3:57:50 PM UTC+1, Andrew David Wong wrote: > > > ## Qubes 3.2 > > > > > > For Qubes 3.2, we plan to release an update that will make almost all > > > VMs run in a fully-virtualized mode. Specifically, we plan to backport > > > PVH support from Qubes 4.0 and enable it for all VMs without PCI > > > devices. After this update, all VMs that previously ran in PV mode (and > > > that do not have PCI devices) will subsequently run in PVH mode, with > > > the exception of stub domains. Any HVMs will continue to run in HVM > > > mode. > > > > Is this the shim-based approach from XSA-254? > > No, it won't be a shim-based approach (see also the Marek's mail in this > thread). > > > Then it should be made clear that the VM's will be more vulnerable to > > Meltdown: > > Even if shims would be used, that "more" claim is false as Meltdown > against the host hypervisor from PVs that are currently used in R3.2 > expose both host and also the guest through the host hypervisor (its > memory). With shims only the guest is still vulnerable, this time through > the intermediate xen instance running in the HVM/PVH encapsulating the PV > guest. Clearly it's "less" vulnerable rather than "more". > > Qubes has been trying to migrate away from PVs altogether (rather than > e.g., placing PVs into those shims) due to PV vulnerabilities in general. > In fact, even before these HW vulnerabilities were discovered, the process > towards PVH was ongoing which is why R4.0 rcs as is are much better > protected already. These vulnerabilities only accelerated this process. > There will be, unfortunately, be one limitation to this migration still > due to PCI passthrough: VMs with PCI devices need to remain PV (or their > stubdoms in R4.0). > > > "Note this shim-based approach prevents attacks on the host, but leaves > > the guest vulnerable to Meltdown attacks by its own unprivileged > > processes; this is true even if the guest OS has KPTI or similar > > Meltdown mitigation." > > https://xenbits.xen.org/xsa/xsa254/README.which-shim > > Also, note that one of the fundamental assumption with Qubes security > model is that the VMs _will get compromised_ (regardless of HW exploits). > What Qubes aims to protect against is escalation from a compromised VM > to host or to another VM. > > > -- > i.
Thank you for clarifying this. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f08a8a34-859b-4cbe-b8aa-aa9f54e15f5e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.