New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hypervisor machine with Intel CPU will have further reduced performance with mitigation of new bug
See https://comsec.ethz.ch/research/microarch/vmscape-exposing-and-exploiting-incomplete-branch-predictor-isolation-in-cloud-environments/
or
https://www.intel.com/content/www/us/en/developer/articles/news/more-information-vmscape.html
The previous mitigations seem only protect guest memories. While this new bug allow malicious guest to access secrets inside its hypervisor memory.
It's reported from some sources that while it affect both intel and amd, the performance lose on Intel could be from 10% to 51%(io heavy).
Do you enable cpu bug mitigations on linux?
- Do you enable cpu bug mitigations on linux?13 votes
- I do not care and just leave it as is.[default ON, depending on kernel config]38.46%
- Security is first for me [ON]38.46%
- I choose the mitigations I want [Partial]7.69%
- Nope. Performance is always the first [OFF]15.38%
Comments
According to the research paper: https://comsec-files.ethz.ch/papers/vmscape_sp26.pdf:
Bad news: all recent AMD CPUs (Zen1-5) are affected as well.
Worse news: SEV-SNP isolation broken as well for Zen1-4.
Good news: software mitigations available for Guest kernel and Hypervisor.
Better news: SEV-SNP on Zen5 still good against Host to Guest exploitations.
Getting tired of this shit.
Security is the only way. I dont care if it get to stoneage performance era but just fucking make secure hardware and software.