| Rich Freeman on 4 Jan 2018 10:27:25 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] The mysterious case of the Linux Page Table Isolation patches |
On Thu, Jan 4, 2018 at 1:12 PM, Steve Litt <slitt@troubleshooters.com> wrote: > On Tue, 2 Jan 2018 15:31:50 -0500 > Rich Freeman <r-plug@thefreemanclan.net> wrote: > >> On Tue, Jan 2, 2018 at 1:02 PM, K.S. Bhaskar <bhaskar@bhaskars.com> >> wrote: >> > If the speculation at >> > http://pythonsweetness.tumblr.com/post/169166980422/the-mysterious-case-of-the-linux-page-table >> > is correct, the details should be very interesting, and may have >> > interesting consequences. >> > >> >> Looks like the rumors might be pushing up the embargo, unless it was >> due anyway. The fixes were just released in a couple of stable >> kernels a few minutes ago. I noticed that at least the 4.14 fix >> doesn't include the AMD patch that disables the setting on AMD CPUs. > > By "disables the setting on AMD CPUs", do you mean disables KVM type > hardware assisted Virtual Machines, or do you mean it disables > something else? The issue has nothing to do with virtual machines specifically. It is a virtual memory vulnerability, which affects everything (that makes me wonder if it affects real mode - it might, not that anything still uses it). VMs are just a worst-case because you could be running untrusted code in them and this can be used to defeat the hypervisor. The AMD patch disables PTI on AMD processors. PTI is the mitigation against meltdown, but not spectre (though I suspect it might help with variant 2 of spectre). AMD CPUs are not vulnerable to meltdown. If PTI isn't disabled it causes a significant performance penalty, so disabling it on AMD is obviously desirable. AMD seems to think Spectre can be fixed in software patches that won't impact performance, but those patches do not fully exist. Intel did post one set of variant 2 patches on lkml, but they're still being reviewed/etc. Authoritative details are pretty sparse on this stuff. > > I can withstand a 30% performance hit, but I really need my Virtual > Machines. > If you're running Intel then you'll want PTI on in general, and that will cause the performance hit. It won't hurt virtualization at all other than the general hit. Note, the penalty might be worse on VMs since both the hypervisor and guest kernel are likely to implement PTI, which means two layers of performance hit on any system call that ends up going out to the hypervisor. Nothing being proposed will prevent virtualization from working. -- Rich ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug