Re: [PATCH] x86/pti: don't report XenPV as vulnerable

From: Jiri Kosina
Date: Fri Jun 15 2018 - 02:39:10 EST


On Fri, 15 Jun 2018, Juergen Gross wrote:

> Why? PTI has to be disabled in PV guests as it can't work there due to
> missing paravirtualization of the PTI feature (mov to/from %cr3).
>
> The Xen meltdown mitigation ("XPTI") for 64-bit pv guests is primarily
> securing the hypervisor against meltdown attacks of the guest. The guest
> itself can't do anything in this regard in 64-bit mode, as user and
> kernel code are already using different %cr3 values even without PTI.

That I know. Then I am probably dense today, but could you please again
explain what you meant by this in your first reply:

"This is wrong for [ ... ] for 64-bit, too, in case the mitigation is
disabled at hypervisor level."

--
Jiri Kosina
SUSE Labs