From: Michael Roth <mdroth@linux.vnet.ibm.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>
Cc: Peter Maydell <peter.maydell@linaro.org>,
Thomas Huth <thuth@redhat.com>,
Eduardo Habkost <ehabkost@redhat.com>,
Cornelia Huck <cohuck@redhat.com>,
qemu-devel@nongnu.org,
Christian Borntraeger <borntraeger@de.ibm.com>,
Suraj Jitindar Singh <sjitindarsingh@gmail.com>,
David Gibson <david@gibson.dropbear.id.au>
Subject: Re: [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1
Date: Wed, 14 Feb 2018 08:56:37 -0600 [thread overview]
Message-ID: <151862019703.31987.7264096901853091526@sif> (raw)
In-Reply-To: <a2c5404e-7f1e-09c8-329f-1abb585070df@redhat.com>
Quoting Paolo Bonzini (2018-02-14 04:33:29)
> On 14/02/2018 09:51, Daniel P. Berrangé wrote:
> >> +Please note that, as mentioned in the previous blog post, QEMU/KVM generally
> >> +has the same requirements as other unpriviledged processes running on the
> >> +host WRT Spectre/Meltdown mitigation.
> >
> > Is this actually still considered accurate wrt the host QEMU ? I was under
> > the believe that life is more complicated for QEMU/KVM wrt Spectre and that
> > it will require more protection than other unpriv processes on the host in
> > some cases.
>
> The plan is for KVM to ensure that QEMU can be treated as yet another
> unprivileged process. Anything else would require applying the same
> care to all of QEMU's dependencies.
Would the following re-wording be reasonable? The main goal of the
statement is to stress that additional patches pertaining to general
host-side security are still needed to secure a QEMU/KVM host, not
so much to suggest that there isn't anything needed beyond that.
-Please note that, as mentioned in the previous blog post, QEMU/KVM generally
-has the same requirements as other unpriviledged processes running on the
-host WRT Spectre/Meltdown mitigation. What is being addressed here is
-enabling a guest operating system to enable the same (or similar) mitigations
-to protect itself from unpriviledged guest processes. Thus, the
-patches/requirements listed here are specific to that goal and should not be
-regarded as the full set of requirements to enable mitigations on the host
-side (though in some cases there is some overlap between the two WRT required
-patches/etc).
+Please note that QEMU/KVM has at least the same requirements as other
+unpriviledged processes running on the host WRT Spectre/Meltdown
+mitigation. What is being addressed here is enabling a guest operating system
+to enable the same (or similar) mitigations to protect itself from
+unpriviledged guest processes. Thus, the patches/requirements listed here are
+specific to that goal and should not be regarded as the full set of
+requirements to enable mitigations on the host side (though in some cases
+there is some overlap between the two WRT required patches/etc).
>
> Paolo
>
next prev parent reply other threads:[~2018-02-14 14:56 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-14 0:11 [Qemu-devel] [qemu-web PATCH] Add a blog post documenting Spectre/Meltdown options for QEMU 2.11.1 Michael Roth
2018-02-14 4:39 ` Bruce Rogers
2018-02-14 8:51 ` Daniel P. Berrangé
2018-02-14 10:33 ` Paolo Bonzini
2018-02-14 14:56 ` Michael Roth [this message]
2018-02-14 9:05 ` Thomas Huth
2018-02-14 9:18 ` Cornelia Huck
2018-02-14 9:11 ` Cornelia Huck
2018-02-14 9:18 ` Christian Borntraeger
2018-02-14 9:48 ` David Hildenbrand
2018-02-14 16:50 ` Dr. David Alan Gilbert
2018-02-14 18:18 ` Michael Roth
2018-02-16 11:57 ` Dr. David Alan Gilbert
2018-02-21 10:09 ` Paolo Bonzini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=151862019703.31987.7264096901853091526@sif \
--to=mdroth@linux.vnet.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@de.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@gibson.dropbear.id.au \
--cc=ehabkost@redhat.com \
--cc=pbonzini@redhat.com \
--cc=peter.maydell@linaro.org \
--cc=qemu-devel@nongnu.org \
--cc=sjitindarsingh@gmail.com \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).