A whole bunch of CPU vulnerabilities were revealed in the past few years: Meltdown and Spectre, SSB, L1TF and MDS -- and there's little hope that we've seen them all. Every time there is a new vulnerability released, big cloud provides on day 1 claim that their hosts were updated and that their users are secure. Is this so or do we also need to do something inside our Linux guests to mitigate these vulnerabilities? And, do we have the required tools to actually do the mitigations? Are all of them enabled by default or not? And, if not, why? In the talk I'll try to answer these questions.
The talk will cover recently discovered CPU vulnerabilities starting with Meltdown and Spectre. I will go through them and try to highlight 'public cloud specifics': what has/can to be done in the infrastructure of the cloud and what has/can be done inside Linux guests depending on the desired level of security and usage patterns.
Speakers: Vitaly Kuznetsov