Re: Xen Security Advisory 439 v1 (CVE-2023-20588) - x86/AMD: Divide speculative information leak

[Solar Designer <solar () openwall com>]

On Tue, Sep 26, 2023 at 09:59:19PM -0400, Demi Marie Obenour wrote:
> These detailed security advisories are one of the things I love about
> Xen.  It's hard to trust a hypervisor (KVM) that will not issue them,
> for then one has no way to know if a particular problem got fixed.

I concur.  I'd appreciate security advisories from the KVM project.

> I'm CCing KVM here to make sure they have a fix.  From their Git commit
> history, I am almost certain that seL4 does not.  I'm CCing the seL4
> developers to alert them of this and suggest that the x86 port be
> removed or at least have a big warning.

I strongly oppose removal of a port/support for a certain architecture
just because some implementations of it are/were problematic.  Adding a
warning is fine.

Alexander

P.S. Demi Marie, please note that oss-security list content guidelines
explicitly discourage CC'ing other lists(*), and Xen advisories are
already stretching this.  In this reply, I am still CC'ing many of what
you had CC'ed as I am following up on your specific points relevant to
those lists, but in general let's be more careful about this.

(*) Because we may then get off-topic follow-ups from there, especially
if CC'ing project user lists or high-volume lists like LKML.  In this
specific case, we're lucky so far.