On Friday, March 16, 2018 at 3:34:05 PM UTC+1, Lorenzo Lamas wrote:
> After updating to Xen 4.6.6-37, with updated BIOS/microcode, I executed 
> Spectre & Meltdown 
> Checker(https://github.com/speed47/spectre-meltdown-checker) in a PV Fedora 
> 26 AppVM.(Kernel 4.14.18-1)
> 
> Hardware support is now supported:
> * Hardware support (CPU microcode) for mitigation techniques
>   * Indirect Branch Restricted Speculation (IBRS)
>     * SPEC_CTRL MSR is available:  YES 
>     * CPU indicates IBRS capability:  YES  (SPEC_CTRL feature bit)
>   * Indirect Branch Prediction Barrier (IBPB)
>     * PRED_CMD MSR is available:  YES 
>     * CPU indicates IBPB capability:  YES  (IBPB_SUPPORT feature bit)
>   * Single Thread Indirect Branch Predictors (STIBP)
>     * SPEC_CTRL MSR is available:  YES 
>     * CPU indicates STIBP capability:  YES 
> 
> However, the VM kernel does not seem to support the migitations: 
> 
> CVE-2017-5715 [branch target injection] aka 'Spectre Variant 2'
> * Mitigated according to the /sys interface:  NO  (kernel confirms your 
> system is vulnerable)
> * Mitigation 1
>   * Kernel is compiled with IBRS/IBPB support:  NO 
>   * Currently enabled features
>     * IBRS enabled for Kernel space:  NO 
>     * IBRS enabled for User space:  NO 
>     * IBPB enabled:  NO 
> * Mitigation 2
>   * Kernel compiled with retpoline option:  YES 
>   * Kernel compiled with a retpoline-aware compiler:  NO  (kernel reports 
> minimal retpoline compilation)
> > STATUS:  VULNERABLE  (Vulnerable: Minimal generic ASM retpoline, IBPB)
> 
> 
> Does this mean the kernel compiled by Qubes does not support the migitations 
> yet, or that this test cannot get proper info from the kernel, since the 
> kernel is provided by Dom0 instead of the VM? Or are both true?

Important typo, I forgot to add 'in the future'.

"I believe, while not knowing, that the Qubes team might focus more on securing 
the VM's dirt (in above's analogy), but right now, it's all on the fence and 
cemented ground inside it." 

should be:

"I believe, while not knowing, that the Qubes team might in the future focus 
more on securing the VM's dirt (in above's analogy), but right now, it's all on 
the fence and cemented ground inside it."

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/b3e1adc9-5b04-4bf5-b87c-86ac0c28318e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to