-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2020-0551 / XSA-315 Load Value Injection (LVI) speculative side channel ISSUE DESCRIPTION ================= This is very closely related to the Microarchitectural Data Sampling vulnerabilities from May 2019. Please see https://xenbits.xen.org/xsa/advisory-297.html for details about MDS. A new way of using the micro-architectural details behind MDS has been identified. Instead of simply trying to sample data from a different privilege context, an attacker can arrange for poisoned data to be consumed (speculatively) in a victim context. This expands the range of tools by which an attacker can manipulate speculation in the victim context to leak data via a side channel. For more details, see: https://software.intel.com/security-software-guidance/insights/deep-dive-load-value-injection IMPACT ====== An attacker, which could include a malicious untrusted user process on a trusted guest, or an untrusted guest, can potentially cause a victim context (process, or guest, or guest kernel, or hypervisor) to leak secrets available to it. VULNERABLE SYSTEMS ================== Systems running all versions of Xen are affected. Only x86 processors are vulnerable. ARM processors are not believed to be vulnerable. Only Intel based processors are potentially affected. Processors from other manufacturers (e.g. AMD) are not believed to be vulnerable. Please consult the Intel Security Advisory for details on the affected processors. MITIGATION ========== Xen does not support the use of SGX (Software Guard Extensions). Outside of the SGX enclave case, the attacker has a limited ability to control the paging behaviour in the victim context. Therefore, it is not believed that there is a practical way to attack a victim context which is not an SGX enclave. Furthermore, preexisting work (including fixes for MDS, SMAP hardening for user pointers) and in-progress work (core scheduling for SMT systems) all raise the bar further for an attacker. There are no known LVI gadgets within Xen. As a result, we have decided not to make any changes to default configurations of Xen. Systems with untrusted PV guests, and whose host administrators are worried about potential LVI gadgets, might wish to consider changing the VM to be HVM instead, or make use of PV-Shim, to limit the scope of a potential attack. NOTE REGARDING PAGE MODIFICATION LOGGING ======================================== Included for completeness, rather than due to being a realistic concern: On Intel Broadwell and later systems, Xen uses Page Modification Logging to accelerate logdirty tracking on migration. The use of this does put the guest kernel at a higher risk of being attacked, due to the use of EPT Access/Dirty bits used behind the scenes. Userspace shouldn't be able to influence when a migration occurs, but booting Xen with `ept=no-ad` will mitigate this concern by causing Xen to fall back to software logdirty tracking. RESOLUTION ========== There is no complete resolution available. In general, administrators of Xen systems are recommended to take no action in response to this vulnerability. If potential LVI gadgets are discovered in Xen, they will be addressed on a case by case basis, in the same way as Spectre v1 hardening. NOTE REGARDING LACK OF EMBARGO ============================== Despite an attempt to organise predisclosure, the discoverers ultimately did not authorise a predisclosure. -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAl5nyAsMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZposH/0ZH/AXAFND2aBRdxKoWZtWyAaxrI0NPRz/H+AEZ CKtoV7E0HmwCSucxJOCe95yv/shKYSqoG4mMkxT+6v1gH7Hv/2dbl12G0Nlo5lyq LSkbvyLwCa1ceL6xa5qanx0GkJL+tiOP3EPDBKpO5Lqok5WS/uXQRwIequArPLNi S4xmE0oKv/yOXRRe2BhnAp6+lY/U6kuMxVNEXF5/6p3/31tnZhabkLJp5N2yl5Ts OEVjwnzEYRgi5npes1TW6PkPA5p0L4rq/oiVPvTqJsNWRkCmHvR2uRXDc1cI/9gs wnam4wTVF2tOXZ8/+n+XvUVUPeLAqzncv2D8+RWkX8pKu18= =DFQP -----END PGP SIGNATURE-----