On 10/8/24 07:50, Anders Andersson wrote:
While reading the release notes for 7.6, the first change is "Implemented Spectre-V4
mitigations for arm64". There's now a number of Spectre-type flaws and mitigations,
and I realize I don't know enough about them.
An idle question that popped into my mind was: Does this mitigation protect
vmm/vmd guests? If so/if not, does this generalize software mitigations for all
Spectre exploits?
I'm primarily interested in a situation where I run an up-to-date OpenBSD with
this mitigation on bare metal, and then run an older OpenBSD or a linux variant
in a VM.
well, I'm not at all an authority on arm64, vmm or Spectre exploits,
but the basic premise of your query causes me to twitch: the idea
that adding a virtualization layer might be a net improvement in
security. That seems mighty unlikely. Even IF a particular flaw
could be mitigated by a hypervisor, probably far more likely to
add new ones by stacking layers of OSs.
As an excuse to "run an older" anything, no, that's just a bad idea.
REALLY bad.
Also remember: most security compromises are done through bad
administration and buggy applications. REAL LIFE data loss or
system compromise from these processor flaws is fairly rare (has
it ever even happened?), It is something that should be fixed,
but ... it isn't the low-hanging fruit for most systems.
Unfortunately.
Nick.
