On 04/14/2013 04:32 AM, Pandu Poluan wrote: > > On Apr 14, 2013 1:27 PM, "Michael Mol" <mike...@gmail.com > <mailto:mike...@gmail.com>> wrote: >> >> On 04/14/2013 01:55 AM, Pandu Poluan wrote: >> > >> > On Apr 14, 2013 1:42 AM, "Michael Mol" <mike...@gmail.com > <mailto:mike...@gmail.com> >> > <mailto:mike...@gmail.com <mailto:mike...@gmail.com>>> wrote: >> >> >> >> [snip] >> >> > >> > What I meant was: given 4 physical AMD cores (but only 2 FPUs, courtesy >> > of AMD's Bulldozer/Piledriver arch) vs 4 virtual Intel cores (2 cores >> > split into 4 by Hyperthreading), I undoubtedly prefer 4 physical ones. >> > >> > (Of course if the Intel CPU has 4 pphysical cores, it should be compared >> > with an 8-core AMD CPU). >> > >> > I had some lively discussion on AMD vs Intel *for virtualization* in the >> > Gentoo Community on Google+, which referenced a thread on ServerFault. >> > The conclusion was: Intel CPUs (provided they support VT-x) can run >> > baremetal virtualization as well as AMD, in the majority of cases. >> > >> > It's the minority of cases -- edge cases -- that I'm concerned with. >> > And, lacking the money to actually buy 2 complete systems to perform >> > comparison, I'll take the safe route anytime. >> > >> > Yes, Intel's top-of-the-line processors might be faster than AMD's, but >> > the latter is cheaper, and exhibited a much more 'stable' performance >> > (i.e., no edge cases to bite me later down the road). >> > >> > That said, I read somewhere about the 'misimplementation' of some >> > hypercalls in Intel CPUs... in which some hypercall exceptions are >> > mistakenly handled by the Ring 0 hypervisor instead of the Ring 1 guest >> > OS, thus enabling someone to 'break out' of the VM's space. This >> > misimplementation is exploitable on KVM and Xen (the latter, my >> > preferred baremetal virtualization). >> >> That's actually very interesting. I hadn't heard about this. >> > > Here you go: > > http://blog.xen.org/index.php/2012/06/13/the-intel-sysret-privilege-escalation/ > > It's CVE-2012-0217, and the guys from vupen actually has created a > working proof: > > http://www.vupen.com/blog/20120904.Advanced_Exploitation_of_Xen_Sysret_VM_Escape_CVE-2012-0217.php >
Interesting! It also sounds like it's reasonably generally fixed with a patch to the hypervisor. Too bad hypervisors tend to have extremely long uptimes.
signature.asc
Description: OpenPGP digital signature
