On 01/05/2018 04:27 AM, Dr. David Alan Gilbert wrote: >>> Patches for 1-3 are out there and 4 is pretty straightforward. Doing a >>> arch_prctl() is still straightforward, but will be a much more niche >>> thing than any of the other choices. Plus, with a user interface, we >>> have to argue over the ABI for at least a month or two. ;) > I was chatting to Andrea about this, and we came to the conclusion one > use might be for qemu; I was worried about (theoretically) whether > userspace in a guest could read privileged data from the guest kernel by > attacking the qemu process rather than by attacking the kernels.
Theoretically, I believe it's possible. The SMEP-based mitigations are effective when crossing rings, but do not help with guest-ring0->host-ring0 or presumably guest-ring3->host-ring3. For the same-ring things, we have the indirect branch predictor flush operation MSR (IBPB). Expect those to be posted once we have the IBRS and retpoline approaches settled.
