Re: [FYI PATCH 0/7] Mitigation for CVE-2018-12207

From: Paolo Bonzini
Date: Wed Nov 13 2019 - 09:44:13 EST


On 13/11/19 14:00, Jinpu Wang wrote:
> Hi Paolo, hi list,
>
> Thanks for info, do we need qemu patch for full mitigation?
> Debian mentioned:
> https://linuxsecurity.com/advisories/debian/debian-dsa-4566-1-qemu-security-update-17-10-10
> "
> A qemu update adding support for the PSCHANGE_MC_NO feature, which
> allows to disable iTLB Multihit mitigations in nested hypervisors
> will be provided via DSA 4566-1.
>
> "
> But It's not yet available publicly.

I will send it today, but it's not needed for full mitigation. It just
provides a knob to turn it on and off in nested hypervisors.

> About the performance hit, do you know any number? probably the answer
> is workload dependent.

We generally measured 0-4%. There can be latency spikes for RT, which I
will send a patch for soon.

Paolo