Announcement

Collapse
No announcement yet.

Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix

    Phoronix: Linux 4.4.215 / 4.9.215 / 4.14.172 / 5.5.7 Kernels Bringing Intel KVM Security Fix

    A few days back we reported on a security vulnerability within Intel's KVM virtualization code for the Linux kernel. That vulnerability stems from unfinished kernel code and was fixed for Linux 5.6 Git and is now being back-ported to the 4.4 / 4.9 / 4.14 / 5.5 supported kernels...

    http://www.phoronix.com/scan.php?pag...E2020-Backport

  • #2
    I believe that 5.4.x is a lts kernel,
    I don't get the idea of 5.5.7( since its not a lts kernel.. ).

    Could it be a typo?

    Comment


    • #3
      I hope Ubuntu ports this to their 4.15 kernel that is used in Ubuntu 16.04.

      Comment


      • #4
        Originally posted by tuxd3v View Post
        I believe that 5.4.x is a lts kernel,
        I don't get the idea of 5.5.7( since its not a lts kernel.. ).

        Could it be a typo?
        5.5.x is the current stable kernel, so security bug are fixed. What is that surprise you?

        Comment


        • #5
          These security fixes also queued for 4.19 and 5.4 lts branches.

          Comment


          • #6
            Originally posted by cynic View Post
            5.5.x is the current stable kernel, so security bug are fixed. What is that surprise you?
            Its not a surprise..
            The surprise is, why it was not for 5.4.x which is a stable kernel( LTS )..

            Comment


            • #7
              Originally posted by puleglot View Post
              These security fixes also queued for 4.19 and 5.4 lts branches.
              Thanks!

              Comment


              • #8
                Do I understand correctly, that this is only affecting machines with nested virtualization, while the guest (L2) in the guest (L1) can only access data from the guest (L1). So this security flaw does not enable any guest to access data from the host?
                Last edited by CTTY; 02-27-2020, 09:10 PM. Reason: typo

                Comment


                • #9
                  Originally posted by CTTY View Post
                  Do I understand correctly, that this is only affecting machines with nested virtualization, while the guest (L2) in the guest (L1) can only access data from the guest (L1). So this security flaw does not enable any guest to access data from the host?
                  Not quite what I was reading. A guest CAN access data from its host (if it's an L2 guest). The L1 host typically is the "real" host, hosting multiple L2 instances.

                  How many of the various cloud instances are running as L2 guests I don't have the slightest clue. Given that there's quite extensive backporting going on, I'd guess more than a few.

                  Comment


                  • #10
                    Originally posted by fkoehler View Post
                    The L1 host typically is the "real" host, hosting multiple L2 instances.
                    In the article is the following mentioned:
                    Originally posted by article
                    the L2 guest could trick the L0 hypervisor into accessing sensitive bits of the L1 hypervisor

                    So I think the L0 is the real host.


                    Originally posted by article
                    n the way KVM hypervisor handled instruction emulation for the L2 guest when nested(=1) virtualization is enabled

                    But this still only applies when `
                    nested=1` is set for `kvm_intel`.

                    Comment

                    Working...
                    X