Meltdown and Spectre Exposure Analysis : Xen, Linux, Windows

	A	B	C	D	E	F	G	I	J	K	M
1	Values in these Summary Tables are populated from data in the Exposure sheet. Table structure and text is from the Xen FAQ.
2	Xen FAQ:	https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/									Notes on Exposure sheet data source
3	Mitigations referenced by ID below are documented in the Mitigations sheet
4
5	Variant 3 : Xen exposure
6	Guest Type	Is a user space attack from a guest to Xen possible?		Is a kernel space attack from a guest to Xen possible?				Mitigation for user space attack from a guest to Xen	Mitigation for kernel space attack from guest to Xen
7	32 bit PV	No		No
8	64 bit PV	Yes	[1]	Yes	[1]			VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI		Using Intel values here, not AMD.
9	HVM	No		No
10	PVH	No		No
11	ARM [1]	No		No							Using ARM64 values.
12
13	[1] Several mitigation options have been developed with different trade-offs. See Question 2.2.
14
15	Variant 3 : Guest exposure
16	Guest Type	Is a user space attack on the guest kernel possible (when running in a Xen VM)?		Is a user space attack on other guests possible (when running in a Xen VM)?		Is a kernel space attack on other guests possible (when running in a Xen VM)?		Mitigation for user space attack on guest kernel	Mitigation for user space attack on other guests	Mitigation for kernel space attack on other guests
17	32 bit PV	Yes	[1]	No		No		KPTI-32
18	64 bit PV	No	[2]	Yes	[3]	Yes	[3]		VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	Using Intel values here, not AMD.
19	HVM	Yes	[1]	No		No		KPTI, KPTI-32 KAISER, MS-SPECCTL
20	PVH	Yes	[1]	No		No		KPTI, KAISER
21	ARM	Yes	[1]	No		No		KPTI, KAISER			Using ARM64 values.
22
23	[1] Can be mitigated by the Linux KPTI patch and similar patches for other operating systems
24	[2] Although, a direct user space attack on the kernel is not possible, user space can indirectly be exploited via [3]. When Vixen and Comet are deployed, all guest memory is mapped by the “shim,” which is itself vulnerable to Meltdown. The Xen PTI patches protect both the hypervisor and the guest kernel from attacks from the guest user (without need for additional guest kernel patches). Note that KPTI is automatically disabled when running in 64 bit PV guests: thus running Xen PTI together with KPTI should not have any adverse effects.
25	[3] Mitigated by stage-1 Xen PTI
26
27	Variant 2 : Xen exposure
28	Guest Type	Is a user space attack from a guest to Xen possible?		Is a kernel space attack from a guest to Xen possible?				Mitigation for user space attack from a guest to Xen	Mitigation for kernel space attack from guest to Xen
29	x86	Yes	[1]	Yes	[1]			XEN-IB-CTRL-X86	XEN-IB-CTRL-X86		Using 64-bit PV Intel values
30	ARM 32 [1]	Yes	[2]	Yes	[2]			XEN-BP-HARD-ARM32	XEN-BP-HARD-ARM32
31	ARM 64 [1]	Yes	[2]	Yes	[2]			XEN-BP-HARD-ARM64	XEN-BP-HARD-ARM64
32
33	[1] See Question 3.4.1 : Plans for Intel and AMD CPUs.
34	[2] See Question 3.4.2 : Affected ARM CPUs.
35
36	Variant 2 : Guest exposure
37	Guest Type	Is a user space attack on other user processes or the guest kernel within the same guest possible (when running in a Xen VM)?		Is a user space attack on other guests possible (when running in a Xen VM)?		Is a kernel space attack on other guests possible (when running in a Xen VM)?		Mitigation for user space attack on other user processes or guest kernel within the same guest	Mitigation for user space attack on other guests	Mitigation for kernel space attack on other guests
38	x86	Yes	[2]	Yes	[3]	Yes	[3]	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	CPU-PIN, XEN-IB-CTRL-X86	CPU-PIN, XEN-IB-CTRL-X86	Using 64-bit PV Intel values
39	ARM 32 [1]	Yes	[2]	Yes	[4]	Yes	[4]	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM32	CPU-PIN, XEN-BP-HARD-ARM32	CPU-PIN, XEN-BP-HARD-ARM32
40	ARM 64 [1]	Yes	[2]	Yes	[5]	Yes	[5]	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM64	CPU-PIN, XEN-BP-HARD-ARM64	CPU-PIN, XEN-BP-HARD-ARM64
41
42	[1] ARM has information on affected models on the following website: https://developer.arm.com/support/security-update. According to Cavium Thunder X1 is not vulnerable to Spectre (both variants).
43	[2] Mitigated by retpoline or firmware based Indirect Branch Control mitigations in guest operating systems
44	[3] Mitigated by “Intel and AMD CPUs” approach as outlined in question 3.4.1
45	[4] Mitigated by “Affected ARM CPUs” (64 bit) approach as outlined in question 3.4.2
46	[5] Mitigated by “Affected ARM CPUs” (32 bit) approach as outlined in question 3.4.2
47
48	Variant 1 : Xen exposure
49	Guest Type	Is a user space attack from a guest to Xen possible?		Is a kernel space attack from a guest to Xen possible?				Mitigation for user space attack from a guest to Xen	Mitigation for a kernel space attack from a guest to Xen
50	x86	Yes	[2]	Yes	[2]
51	ARM [1]	Yes	[2]	Yes	[2]
52
53	[1] ARM has information on affected models on the following website: https://developer.arm.com/support/security-update. According to Cavium Thunder X1 is not vulnerable to Spectre (both variants).
54	[2] See question 4.3 : "Are mitigations for Spectre (Variant 1) possible?"
55
56	Variant 1 : Guest exposure
57	Guest Type	Is a user space attack on other user processes or the guest kernel within the same guest possible (when running in a Xen VM)?		Is a user space attack on other guests possible (when running in a Xen VM)?		Is a kernel space attack on other guests possible (when running in a Xen VM)?		Mitigation for user space attack on other user processes or guest kernel within the same guest	Mitigation for user space attack on other guests	Mitigation for kernel space attack on other guests
58	x86	Yes	[2]	?	[3]	Yes	[3]	KBOUNDS, BPF-BOUNDS	CPU-PIN	CPU-PIN
59	ARM [1]	Yes	[2]	?	[3]	?	[3]	KBOUNDS, BPF-BOUNDS	CPU-PIN	CPU-PIN
60
61	[1] ARM has information on affected models on the following website: https://developer.arm.com/support/security-update. According to Cavium Thunder X1 is not vulnerable to Spectre (both variants).
62	[2] Please refer to guest operating system specific mitigations
63	[3] See question 4.3 : "Are mitigations for Spectre (Variant 1) possible?"

	A	B	C	D	E	F	G	H	I
1		Variant 1: Spectre, Bounds-check bypass [MISPREDICT]		Variant 2: Spectre, Branch Target Injection [BTI]		Variant 3. Meltdown, Rogue Data Load [PRIV-LOAD]		Variant 3a. Meltdown, Rogue Register Read [PRIV-REG]
2	Configuration	Affected?	Mitigation	Affected?	Mitigation	Affected?	Mitigation	Affected?	Mitigation

3	Is a user space attack on processes in the same guest possible?
4	32-bit PV, Intel	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	Yes	KPTI-32	No
5	64-bit PV, Intel	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	Yes	KPTI, VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	No
6	32-bit PV, AMD	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
7	64-bit PV, AMD	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
8	HVM (32-bit or 64-bit)	Yes	KBOUNDS, BPF-BOUNDS, MS-SPECCTL	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
9	PVHv1 (deprecated)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
10	PVHv2 (modern PVH)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
11	ARM32	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM32	No		No
12	ARM64 (32 & 64-bit VM)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM64	No		No
13
14	Is a user space attack on the guest kernel possible?
15	32-bit PV, Intel	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	Yes	KPTI-32	No
16	64-bit PV, Intel	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
17	32-bit PV, AMD	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
18	64-bit PV, AMD	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	No		No
19	HVM (32-bit or 64-bit)	Yes	KBOUNDS, BPF-BOUNDS, MS-SPECCTL	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	Yes	KPTI, KPTI-32 KAISER, MS-SPECCTL	No
20	PVHv1 (deprecated)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	?	KPTI, KAISER	No
21	PVHv2 (modern PVH)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-IB-CTRL-X86	Yes	KPTI, KAISER	No
22	ARM32	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM32	Yes	KPTI-32	No
23	ARM64 (32 & 64-bit VM)	Yes	KBOUNDS, BPF-BOUNDS	Yes	KRETPOLINE, FTRACE-KRETPOLINE, VM-IBRS, KIBRS, XEN-BP-HARD-ARM64	Yes	KPTI, KAISER	No
24
25	Is a user space attack on a different guest possible?
26	32-bit PV, Intel	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
27	64-bit PV, Intel	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	Yes	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	No
28	32-bit PV, AMD	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
29	64-bit PV, AMD	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
30	HVM (32-bit or 64-bit)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
31	PVHv1 (deprecated)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	?		No
32	PVHv2 (modern PVH)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
33	ARM32	?	CPU-PIN	Yes	CPU-PIN, XEN-BP-HARD-ARM32	No		No
34	ARM64 (32 & 64-bit VM)	?	CPU-PIN	Yes	CPU-PIN, XEN-BP-HARD-ARM64	No		No
35
36	Is a user space attack on Xen possible?
37	32-bit PV, Intel	Yes		Yes	XEN-IB-CTRL-X86	No		No
38	64-bit PV, Intel	Yes		Yes	XEN-IB-CTRL-X86	Yes	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	No
39	32-bit PV, AMD	Yes		Yes	XEN-IB-CTRL-X86	No		No
40	64-bit PV, AMD	Yes		Yes	XEN-IB-CTRL-X86	No		No
41	HVM (32-bit or 64-bit)	Yes		Yes	XEN-IB-CTRL-X86	No		No
42	PVHv1 (deprecated)	Yes		Yes	XEN-IB-CTRL-X86	?		No
43	PVHv2 (modern PVH)	Yes		Yes	XEN-IB-CTRL-X86	No		No
44	ARM32	Yes		Yes	XEN-BP-HARD-ARM32	No		No
45	ARM64 (32 & 64-bit VM)	Yes		Yes	XEN-BP-HARD-ARM64	No		No
46
47	Is a kernel space attack on a different guest possible?
48	32-bit PV, Intel	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
49	64-bit PV, Intel	Yes	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	Yes	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	No
50	32-bit PV, AMD	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
51	64-bit PV, AMD	Yes	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
52	HVM (32-bit or 64-bit)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
53	PVHv1 (deprecated)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	?		No
54	PVHv2 (modern PVH)	?	CPU-PIN	Yes	CPU-PIN, XEN-IB-CTRL-X86	No		No
55	ARM32	?	CPU-PIN	Yes	CPU-PIN, XEN-BP-HARD-ARM32	No		No
56	ARM64 (32 & 64-bit VM)	?	CPU-PIN	Yes	CPU-PIN, XEN-BP-HARD-ARM64	No		No
57
58	Is a kernel space attack on Xen possible?
59	32-bit PV, Intel	?		Yes	XEN-IB-CTRL-X86	No		No
60	64-bit PV, Intel	Yes		Yes	XEN-IB-CTRL-X86	Yes	VIXEN, COMET, RUDOLPH, XPTI-S1, XPTI-VCPU-STACKS, XPTI	No
61	32-bit PV, AMD	?		Yes	XEN-IB-CTRL-X86	No		No
62	64-bit PV, AMD	Yes		Yes	XEN-IB-CTRL-X86	No		No
63	HVM (32-bit or 64-bit)	Yes		Yes	XEN-IB-CTRL-X86	No		No
64	PVHv1 (deprecated)	?		?	XEN-IB-CTRL-X86	?		No
65	PVHv2 (modern PVH)	Yes		Yes	XEN-IB-CTRL-X86	No		No
66	ARM32	Yes		Yes	XEN-BP-HARD-ARM32	No		No
67	ARM64 (32 & 64-bit VM)	Yes		Yes	XEN-BP-HARD-ARM64	No		No
68
69	Document data
70	Authors:	Christopher Clark (BAE Systems, OpenXT), Doug Goldstein (Rackspace), Rich Persaud (BAE Systems, OpenXT)
71	Revision:	2018-01-25
72	License:	CC-BY-4.0		https://creativecommons.org/licenses/by/4.0/
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981

	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P
1	Mitigations and relevant technology
2	Name	Aka	Reference ID	Defects addressed			Component	Versions available to	Availability	EOL comment	Dependencies and related technology	Known issues	Comments	Reference date	Reference link
3	Name	Aka	Reference ID	SP1	SP2	SP3	Component	Versions available to	Availability	EOL comment	Dependencies and related technology	Known issues	Comments	Reference date	Reference link

4	XPTI stage 1	"Meltdown bandaid", XPTI-lite	XPTI-S1			3	Xen		Jan 2018			Reduces but does not eliminate exposed state.	Original patch series	12-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01039.html
5															https://xenbits.xen.org/xsa/xsa254/README.pti
6													Patch iteration: incorporate feedback	16-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01373.html
7													Patch addition: performance improvement	18-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01609.html
8													Patch addition: 25% increase in performance	23-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01998.html
9													Patch addition: performance improvement	26-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg02458.html
10	XPTI : per-vcpu stacks	"xen/x86: use per-vcpu stacks for 64 bit pv domains"	XPTI-VCPU-STACKS			3	Xen		Jan 2018			Reduces but does not eliminate exposed state.	Proposed as replacement for first XPTI RFC patch series: "x86: Prerequisite work for a Xen KAISER solution"	22-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01871.html
11															https://github.com/jgross1/xen/tree/xpti
12														9-Feb-18	https://lists.xenproject.org/archives/html/xen-devel/2018-02/msg00761.html
13	XPTI stage N, final		XPTI			3	Xen		multiple months			Extensive patch series, currently incomplete		4-Jan-18	https://lists.xen.org/archives/html/xen-devel/2018-01/msg00274.html
14	Vixen	Amazon Meltdown mitigation	VIXEN			3	Xen	3.4 - 4.10	Jan 2018		VT-x	No migrate, no save / restore. 64 VCPU limit.		6-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00436.html
15	Comet	Citrix PV-shim Meltdown mitigation	COMET			3	Xen	4.8, 4.9, 4.10	4.10 now, 4.8 and 4.9 within days		VT-x	No support for PCI passthrough. 64 VCPU limit.		4-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00188.html
16	Comet	Citrix PV-shim Meltdown mitigation	COMET			3	Xen	4.8, 4.9, 4.10	4.10 now, 4.8 and 4.9 within days		VT-x	No support for PCI passthrough. 64 VCPU limit.		12-Jan-18	https://lists.xen.org/archives/html/xen-devel/2018-01/msg01057.html
17	Rudolph	Merge of Vixen and Comet	RUDOLPH			3	Xen	4.11+	weeks from now		VT-x	64 VCPU limit.		12-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01123.html
18	Rudolph	Merge of Vixen and Comet	RUDOLPH			3	Xen	4.11+	weeks from now		VT-x	64 VCPU limit.			http://xenbits.xen.org/xsa/xsa254/README.which-shim
19	Virtualized Indirect Branch Controls	Make Indirect Branch Controls available to guests to allow OS level protection	VM-IBRS		2		Xen		Jan 2018		SMEP, SMEP-XEN		Present IBRS support to guest VMs		https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01621.html
20	x86 Xen SP2 Mitigation patches: Branch Target Injection controls	Xen indirect thunk support: retpoline, jmp, lfence	XEN-IB-CTRL-X86		2		Xen	4.10, 4.11	Jan 2018		INDIRECT-FLAG-GCC, INTEL-UCODE, SMEP-XEN, SMEP, IBRS, IBPB, STIBP, VM-IBRS		Retpoline preferred on Intel (although note that Skylake+ adds complexity). lfence preferred on AMD. See also RSB/RAS poisoning on entry to Xen to contain speculation.	12-Jan-18	https://lists.xen.org/archives/html/xen-devel/2018-01/msg01156.html
21	ARM64 Xen SP2 Mitigation patches	Branch predictor hardening	XEN-BP-HARD-ARM64		2		Xen	4.8 - 4.10, 4.7 backport soon	Jan 2018		ARM-FWARE			16-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01365.html
22	ARM64 Xen SP2 Mitigation patches	Branch predictor hardening	XEN-BP-HARD-ARM64		2		Xen	4.8 - 4.10, 4.7 backport soon	Jan 2018		ARM-FWARE				https://xenbits.xen.org/gitweb/?p=xen.git;a=commit;h=e730f8e41e8537f1db9770b9464f9523c28857b9
23	ARM32 Xen SP2 Mitigation patches	Branch predictor hardening	XEN-BP-HARD-ARM32		2		Xen		soon, patched posted		ARM-FWARE ?			19-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01798.html
24	ARM64 Xen SP1 Mitigation patches		XEN-SP1-ARM64	1			Xen				ARM-SP1-COMP
25	ARM32 Xen SP1 Mitigation patches		XEN-SP1-ARM32	1			Xen				ARM-SP1-COMP
26	SMEP-enabled Xen		SMEP-XEN		2		Xen	4.1 onwards			SMEP
27	Panopticon Xen			1	2		Xen	None currently			XPTI	A large volume of work to undertake	Architectural restructuring within Xen to potentially mitigate all information leaks	22-Jan-18	https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01914.html
28
29	KPTI for 64-bit Linux	most recent patch series	KPTI			3	Linux kernel	4.14+	Jan 2018		PCID improves perf				https://lkml.org/lkml/2017/12/4/709
30	KPTI for 32-bit Linux	SuSE 32-bit patch series	KPTI-32			3	Linux kernel	??	soon, patches posted		KPTI, x86-only				http://lkml.iu.edu/hypermail/linux/kernel/1801.2/00657.html
31	KPTI for 32-bit Linux	SuSE 32-bit patch series	KPTI-32			3	Linux kernel	??	soon, patches posted		KPTI, x86-only				https://lkml.org/lkml/2018/1/16/1080
32	KPTI control	Policy control for per-process KPTI enable/disable	KPTI-CONTROL				Linux kernel				KPTI				https://lkml.org/lkml/2018/1/10/902
33	KAISER	earlier patch series	KAISER			3	Linux kernel	4.9 and 4.11	Jan 2018		PCID improves perf	Potentially incomplete protection			https://news.ycombinator.com/item?id=16087736
34	KAISER	earlier patch series	KAISER			3	Linux kernel	4.9 and 4.11	Jan 2018		PCID improves perf	Potentially incomplete protection			https://lkml.org/lkml/2017/11/27/284
35	Linux Kernel support for Indirect Branch Controls (IBRS etc)		KIBRS		2	3 ?	Linux kernel		Jan 2018		IBRS, STIBP, IBPB, INTEL-UCODE				https://lkml.org/lkml/2018/1/22/598
36	Dynamic IBRS kernel support		K-IBRS-OPT		2	3 ?	Linux kernel		Jan 2018		IBRS, STIBP, IBPB, INTEL-UCODE	Significant performance impact			http://lkml.iu.edu/hypermail/linux/kernel/1801.2/05282.html
37	Always-on IBRS kernel support		K-IBRS-ON		2	3 ?	Linux kernel				Skylake or later Intel processor, IBRS. INTEL-UCODE	Significant performance impact			http://lkml.iu.edu/hypermail/linux/kernel/1801.2/05282.html
38	Bounds check kernel support	"prevent bounds-check bypass via speculative execution"	KBOUNDS	1			Linux kernel	4.15	Jan 2018		NOSPEC				https://lkml.org/lkml/2018/1/18/858
39	BPF anti-speculation changes	"bpf: prevent out-of-bounds speculation"	BPF-BOUNDS	1			Linux kernel								https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b2157399cc9898260d6031c5bfe45fe137c1fbe7
40	Retpoline kernel support	"Avoid speculative indirect calls in kernel"	KRETPOLINE		2		Linux kernel	4.9.77, 4.14.14, 4.15	Jan 2018		INDIRECT-FLAG-GCC, Processor-pre-Skylake	Concern that Skylake+ fall back to insecure behaviour https://lkml.org/lkml/2018/1/4/724	Includes Intel and AMD support. Poisons RSB on kernel entry.		https://support.google.com/faqs/answer/7625886	https://lkml.org/lkml/2018/1/11/804
41	Repurpose function tracer to inject retpoline to avoid IBRS	Function tracer retpoline insertion	FTRACE-KRETPOLINE		2		Linux kernel				KRETPOLINE	Requires CONFIG_FUNCTION_TRACER=y on x86 kernels	Proposed by Ingo Molnar as performance improvement to avoid expensive KIBRS		https://lkml.org/lkml/2018/1/23/25
42	PCID kernel context switch optimization		KPCID			3	Linux kernel		Jan 2018		PCID, INVPCID, KPTI	Only available for 64-bit kernels	Performance accelerator for context switches		https://lkml.org/lkml/2016/1/8/914
43
44	Microsoft Windows speculation controls		MS-SPECCTL	1	2	3	Windows OS	Windows 10, Windows 8.1, Windows Server 2012 R2, Windows Server 2016, Windows 7 SP1, Windows Server 2008 R2 SP1	Jan 2018		PCID, INVPCID, INTEL-UCODE, IBPB, STIBP, IBRS				https://support.microsoft.com/en-ca/help/4072698/windows-server-guidance-to-protect-against-the-speculative-execution
45															https://support.microsoft.com/en-us/help/4073707/windows-operating-system-security-update-for-amd-based-devices
46															https://twitter.com/aionescu/status/948818841747955713
47
48	CPU pinning	Separate distrusting VMs onto different physical CPUs	CPU-PIN	1	2		VM configuration	All	always				Separate VMs onto distinct physical CPUs		https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg00403.html
49
50	Disable hyperthreads		NO-HT	1	2		BIOS configuration	All	always				Reduces multiplexing of CPU resources between different execution contexts
51	Enable SMEP in BIOS		SMEP-BIOS				BIOS configuration
52
53	Microcode feature: IBPB	Indirect Branch Prediction Barrier	IBPB		2		Microcode, Processor		Jan 2018		INTEL-UCODE	Expensive instruction to execute			https://lkml.org/lkml/2018/1/22/598
54															https://lwn.net/Articles/743293/
55															https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
56	Microcode feature: STIBP	Single Thread Indirect Branch Predictor	STIBP		2		Microcode, Processor		Jan 2018		INTEL-UCODE		Assists isolation of hyperthreads		https://lkml.org/lkml/2018/1/22/599
57															https://lwn.net/Articles/743293/
58															https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
59	Microcode feature: IBRS	Indirect Branch Restricted Speculation	IBRS		2		Microcode, Processor		Jan 2018		INTEL-UCODE	Invasive to kernel and hypervisor code. Expensive instruction to execute, especially on pre-Skylake CPUs.	More important on Skylake+ processors due to ret instruction using branch predictor.		https://lkml.org/lkml/2018/1/22/600
60															https://lwn.net/Articles/743293/
61															https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
62	CPU instruction: LFENCE		LFENCE	1	2		Processor		Jan 2018				Intel and AMD recommended speculation barrier instruction
63	Processor feature: IBRS_ATT	"IBRS All The Time": IBRS_ATT, IBRS_ALL	IBRS_ATT				Processor				NEW-INTEL-PROC
64	Intel CPU microcode		INTEL-UCODE		2		Processor Firmware	5 years prior +	Jan 2018			Instability reports	Provides new MSRs for use on kernel entry and exit	16-Jan-18	https://software.intel.com/sites/default/files/managed/c5/63/336996-Speculative-Execution-Side-Channel-Mitigations.pdf
65															https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/
66															https://newsroom.intel.com/news/root-cause-of-reboot-issue-identified-updated-guidance-for-customers-and-partners/
67	AMD CPU microcode		AMD-UCODE				Processor Firmware						Provides new MSRs for use on kernel entry and exit		https://www.amd.com/en/corporate/speculative-execution
68	ARM CPU CSDB instruction	Conditional Select Data Barrier	ARM-CSDB	1			Processor		Jan 2018		ARM-FWARE		Available for both ARM32 and ARM64
69	ARM CPU firmware		ARM-FWARE		2		Processor Firmware		not yet						https://lists.xenproject.org/archives/html/xen-devel/2018-01/msg01365.html
70	SMEP processor feature		SMEP		2		Processor				SMEP-BIOS
71	PCID processor feature	Process Context Identifier	PCID			3	Processor		Westmere onwards			Windows depends on INVPCID, on Haswell and later; Linux does not require it			https://gist.github.com/woachk/2f86755260f2fee1baf71c90cd6533e9
72	INVPCID processor feature		INVPCID			3	Processor				PCID
73	New immune Intel processors		NEW-INTEL-PROC	1	2	3	Processor	None	2018 ?						https://wccftech.com/intel-hardware-changes-new-cpus-fix-meltdown-spectre-2018/
74	New immune AMD processors		NEW-AMD-PROC	1	2		Processor	None	2018 ?
75	New immune ARM processors		NEW-ARM-PROC	1	2	3	Processor	None	2018 ?
76
77	ARM SP1 mitigation compiler support		ARM-SP1-COMP	1			Compiler				ARM-CSDB				https://developer.arm.com/support/security-update/compiler-support-for-mitigations
78	GCC __builtin_load_no_speculate	limit speculation by a CPU after a bounds-checked memory access	NOSPEC-GCC	1			Compiler		Jan 2018						https://gcc.gnu.org/ml/gcc-patches/2018-01/msg00205.html
79	LLVM __builtin_load_no_speculate	limit speculation by a CPU after a bounds-checked memory access	NOSPEC-LLVM	1			Compiler		Jan 2018						https://reviews.llvm.org/D41760
80	ARM __builtin_load_no_speculate migration wrapper	ARM speculation barrier header	NOSPEC-ARM.H	1			Source code		Jan 2018				Enables use of speculation barrier prior to upgrading compiler		https://github.com/ARM-software/speculation-barrier
81	Retpoline software construct		RETPOLINE		2		Source code		Jan 2018				Anti branch target injection instruction sequence		https://support.google.com/faqs/answer/7625886
82	GCC Retpoline compiler support	-mindirect-branch, -mindirect-return, -mindirect-branch-register	INDIRECT-FLAG-GCC		2		Compiler	7.3 and 8.1	Jan 2018		RETPOLINE				http://git.infradead.org/users/dwmw2/gcc-retpoline.git/shortlog/refs/heads/gcc-7_2_0-retpoline-20171219
83	GCC Retpoline compiler support		INDIRECT-FLAG-GCC		2		Compiler	7.3 and 8.1	Jan 2018		RETPOLINE				https://github.com/hjl-tools/gcc/commits/hjl/indirect/gcc-7-branch/master
84	LLVM Retpoline compiler support		INDIRECT-FLAG-LLVM		2		Compiler	to be backported to 5.0 and 6.0	in progress		RETPOLINE				https://reviews.llvm.org/D41723
85	MSVC speculation mitigation compiler support		MSVC-SPECCTL	1	2		Compiler	15.5.3, 15.6 Preview 4	Jan 2018		LFENCE, RETPOLINE	Spectre mitigations are only applied to code generated when Optimization is enabled.	See /Qspectre switch		https://blogs.msdn.microsoft.com/vcblog/2018/01/15/spectre-mitigations-in-msvc/	https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
86
87
88	Document data
89	Authors:	Christopher Clark (BAE Systems, OpenXT), Rich Persaud (BAE Systems, OpenXT)
90	Revision:	2018-01-29
91	License:	CC-BY-4.0	https://creativecommons.org/licenses/by/4.0/

	A	B	C	D	E	F	G	H	I	J
1	Meltdown mitigations for 64-bit PV guest VMs
2
3		XPTI-S1	XPTI-vCPU-Stacks	XPTI	Switch to PVH	Switch to HVM	Vixen	Comet	Rudolph	Source Reference
4		"band-aid"	"per-vcpu stacks"
5	Configuration
6	Running Guest Type	PV	PV	PV	PVH	HVM	HVM	PVH	PVH
7	Current earliest Xen version	4.6	4.10	Not available	4.10	All	3.4	4.10	Not available	http://xenbits.xen.org/xsa/advisory-254.html
8	Future earliest Xen version	4.6	?	4.12 ?	4.10	All	3.4	4.8	4.12 ?
9	Guest OS compatibility	All	All	All	Linux 4.11+ unikernels	Most	All	All	All	http://xenbits.xen.org/xsa/advisory-254.html
10
11	Coverage of Mitigation
12	Protection of Xen	Substantial	Substantial	Protected	Protected	Protected	Protected	Protected	Protected	http://xenbits.xen.org/xsa/advisory-254.html
13	Protection within guest	Protected	Protected	Protected	Guest patches	Guest patches	Vulnerable	Vulnerable	?	http://xenbits.xen.org/xsa/advisory-254.html
14	Protection from dom0 user space	Protected	Protected	Protected	Not available	Not available	Not available	Not available	Not available	http://xenbits.xen.org/xsa/advisory-254.html
15	Testing status	Limited	Limited	Not available	Good	Excellent	Very good	Moderate	Not available	http://xenbits.xen.org/xsa/advisory-254.html
16
17	Xen Feature Compatibility
18	PCI passthrough	Yes	Yes	Yes	No	Yes	No	No	No
19	No requirement for VT-x	Yes	Yes	Yes	No	No	No	No	No
20	No requirement for Qemu	Yes	Yes	Yes	Yes	No	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
21	Memory ballooning	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
22	VM migration	Yes	Yes	Yes	Yes	Most	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
23	VCPU hotplug	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
24	Max number of VCPUs per VM				64	64	64	64	64
25	Bidirectional VM console	Yes	Yes	Yes	Yes	Yes	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
26	Pygrub	Yes	Yes	Yes	Yes	Unnecessary	No	Yes	Yes	http://xenbits.xen.org/xsa/xsa254/README.which-shim
27
28	Cost of Mitigation
29	Memory consumed by Qemu	No	No	No	No	Yes	Yes	No	No	http://xenbits.xen.org/xsa/advisory-254.html
30	Memory consumed by a shim	No	No	No	No	No	Yes	Yes	Yes	http://xenbits.xen.org/xsa/advisory-254.html
31	Performance	Fair	Better	?	Excellent	Variable	Fair	Fair	?	http://xenbits.xen.org/xsa/advisory-254.html

	A	B	C	D	E	F	G	H	I	J	K	L	M	N	O	P	Q	R	S	T	U
1	Note: Partially-complete data so far. Additions / revisions welcome.
2							SMAP			SMEP			PCID			INVPCID			fTPM, ME CPU	ME CPU execution	ME CPU branch prediction
3	Availability Year	Gen	Microarchitecture	eg. Desktop CPU	eg. Laptop CPU	eg. Server CPU	D	L	S	D	L	S	D	L	S	D	L	S
4	2012	2	Sandy Bridge	Core i5-2500			No	No	No	No	No	No	Yes	Yes	Yes	No	No	No	ARCompact
5	2013	3	Ivy Bridge	Core i5-3570			No	No	No	No	No	No	Yes	Yes	Yes	No	No	No	ARCompact
6	2014	4	Haswell	Core i5-4690			No	No	Yes	Yes		Yes	Yes	Yes	Yes	Yes	Yes	Yes	ARCompact
7	2015	5	Broadwell	Core i5-5675C			Yes			Yes			Yes	Yes	Yes	Yes	Yes	Yes	ARCompact
8	2016	6	Skylake	Core i5-6600K						Yes			Yes	Yes	Yes	Yes	Yes	Yes	x86 Quark	Single-issue, in-order	Static
9	2017	7	Kaby Lake	Core i5-7600K						Yes			Yes	Yes	Yes	Yes	Yes	Yes	x86 Quark	Single-issue, in-order	Static
10	2017	8	Kaby Lake Refresh		Core-i5-8250U														x86 Quark	Single-issue, in-order	Static
11	2018	8	Coffee Lake	Core i5-8600K						Yes			Yes	Yes	Yes	Yes	Yes	Yes	x86 Quark	Single-issue, in-order	Static