Russell On Wed, Jan 3, 2018 at 11:59 PM Russell Reiter <rreiter91@gmail.com> wrote:
On January 3, 2018 10:56:30 PM EST, Dhaval Giani <dhaval.giani@gmail.com> wrote:
https://googleprojectzero.blogspot.ca/2018/01/reading-privileged-memory-with...
gives the gory details
At this point, I cannot stress on how important it is to update your systems as soon as your distribution ships them. I am hoping this remains to be a once in a lifetime event.
I admire your optimism. To me it looks like this is a kind of example of feeping creaturisim in hypervisor's; not necessarily an easy patch.
I am unsure what you are implying. This is a hardware issue which has been fixed in software. There are exploits out already that I am seeing able to run through your web browser. This is serious stuff. Also unsure what this has to do with hypervisors apart from them also needing to mitigate this exploit.
The idea of the necessity of some sort of kernel isolation has been around for quite a while. In part as a response to the ease with which userland interpreters can polute kernelspace.
https://lwn.net/Articles/39283/
I've read that some of the proposed solutions could add as much as a 30% operational overhead. Not much of an issue for average home users but for enterprise this could be a real game changer.
The 30% overhead is for a pathological case. A 5-10% overhead is more likely. And do you honestly think that upstream is not going to work on getting that overhead down? Dhaval