David Gibson <da...@gibson.dropbear.id.au> writes:
> On Tue, Mar 12, 2019 at 10:01:45AM +0000, Peter Maydell wrote: >> On Tue, 12 Mar 2019 at 03:34, David Gibson <da...@gibson.dropbear.id.au> >> wrote: >> > Ok, done. As a rule these warnings are there intentionally for TCG - >> > we want to enable Spectre/Meltdown mitigations by default, but no-one >> > really knows if and how to implement them for TCG. >> >> For the Arm "block speculation" type instructions what we did was >> say "TCG's execution doesn't speculate in a relevant way, and >> we treat the TCG backends as not a security boundary anyway, >> so we'll end the TB and put in a memory barrier and call that >> sufficient". That is, they're provided for the benefit of >> emulating guest OSes that use them, rather than because they >> make a difference from a security perspective. >> >> I don't know exactly what the semantics of the PPC mitigations >> are, but we should probably think about and document a coherent >> position on this for TCG. > > Yes, but this requires input from someone who understands both Spectre > and TCG well enough, which I am not. Someone applying for one of the outreach projects mentioned another attack vector "side-channel leakages in qemu translation from ARM to x86" to which I replied the same "not a security boundary" response. But I guess there are some papers being written around this subject. -- Alex Bennée
