buffer-overwriting-mitigation.dita@ 105145

Last change on this file since 105145 was 105134, checked in by vboxsync, 7 months ago

Docs: bugref:10705. This is a merge commit to introduce doc team's changes in the user manual dita files. The following files
are excluded from this process:

Files whose names satrt with "viso", "vboxmanage", "man_", "vboximg", "vboxheadless", or "user_isomakercmd-man".

And general notes about this merge are as follows:

For now I leave glossentry-*dita file as they are since we use different enclosing dita elements
in hdimagewrites.dita we have <note type="attention"> while doc team's copy has <note type="caution">. Not sure if this is significant.

For now I copy doc team's version over.

I have not modified our UserManual.ditamap file. This will be done in a follow up commit.

The list of commits we have merged are as follows:

r3392: 7.1 new features; add comments to some DITA topics
r3730: VBP-283: Update supported platforms; 7.0 and 7.1
r3980: 7.1: reset menu option; add note
r3992: ARM hosts; add draft topic on limitations; add container topic for ARM-based subtopics
r3993: ARM create new VM wizard: add some dummy topics
r4014: ER 34784410 DOCUMENT THE VIRTUAL MACHINE TASKBAR ICONS: port topic and icon graphics from 7.0 tree
r4026: VBP-378: status bar icons; remove any mention of task bar; ported from 7.0
r4034: Cloning a cloud VM; add draft topic
r4035: Cloning a cloud VM;typo
r4036: Cloning a cloud VM;add xref from intro topic
r4050: Reset operation; add instructions
r4051: Amend comment
r4052: Ditaval markup for images
r4056: Add ditaval markup for images
r4057: Add ditaval markup for images
r4058: Add ditaval markup for images
r4073: UI experience level: add dummy topic
r4075: Subtype: option for VM settings General tab and Create VM wizard
r4094: Cloud VM reset; add to relnotes
r4095: Reset VM; use main Machine menu, rather than right-click menu
r4099: ARM hosts; draft revisions to cover different wizard screens
r4134: Cloud VMs: file manager menu option; add comment
r4214: Settings page, Motherboard tab: Chipset option for Arm VMs; add note
r4306: Terminology checker: clear up Errors; Installation chapter
r4307: Terminology checker: clear up Errors; Config settings/GA chapters
r4308: Terminology checker: clear up Errors; Storage, networking, remote VM chapters
r4311: Terminology checker: clear up Errors: various
r4324: Prefences and settings; potential areas for change in 7.1
r4356: r160214: Monitoring cloud VM performance; add new topic
r4358: r160214: Monitoring cloud VM performance; add new topic
r4364: r160214: Monitoring cloud VM performance; redraft topic
r4374: Experience levels; update user manual topic
r4377: Experience levels; Preferences window: add note re. availability of all possible settings
r4378: Experience levels; Preferences window: add note re. availability of all possible settingsLp
r4379: Typos and add remark re. Global menu changes
r4387: Preferences, Display: some settings introduced post-7.0: font scaling and extended features
r4388: Performance monitoring: add cloud VM instances to intro para
r4389: Experience levels: selecting a level, add graphic of icon
r4391: Resource monitoring; add CLI example to show CPU usage for a cloud instance
r4395: Experience levels; apply to menu items only
r4398: Experience levels; add notes
r4401: Experience levels; remove pics of global tools menu/machine tools menu; number of menu items can vary
r4402: Experience levels; remove image files for global tools menu/machine tools menu
r4525: Experience levels: minor redraft
r4528: Typo
r4538: Experience levels: selected level applies throughout VirtualBox Manager GUI
r4543: GUI topics; add notes for required changes
r4544: VISO Creator changes
r4563: r160714: unattended guest install example; now has user-password option
r4569: Terminology: front end, not front-end
r4570: Arm wizard screens; remove, as Create VM Wizard will be very similar regardless of architecture
r4571: Arm wizard screens; remove, as Create VM Wizard will be very similar regardless of architecture
r4623: Cloud VM monitoring: Compute Instance Monitoring plugin must be enabled; add note
r4625: CPU activity icon; update, now has solid bar
r4626: GUI changes; various, from Serkan; includes new pic for soft keyboard
r4629: separate mode: add some draft topics, will need to get technical review at a later stage
r4634: GUI; various notes and updates
r4655: Typo
r4703: Arm host platform limitations; redraft and add topic to host OS section
r4724: VISO creator; add notes re. ISO import
r4725: Separate mode: edits
r4863: r161176; Python 2.x no longer supported for API
r4899: Arm host support: limitations
r4910: Create VM wizard: settings may vary x86 vs. Arm hosts
r4911: Guest OS support; add note re. supported aarch64 OSes
r4973: r161445: Remove mention of parallel port support
r5004: Cloud VM monitoring: detailed data graphs and Activity Overview
r5038: Cloud VM monitoring: export to file
r5214: r161947: Solaris non-Global zone configuration
r5215: r161947: Solaris non-Global zone configuration; typo
r5230: Glossary: fix title for I/O APIC topic
r5341: Experience levels; can be selected from welcome screen in VirtualBox Manager; need replacement pic
r5345: Experience levels; add note on Welcome screen option
r5346: Arm host limitations; unavailable System settings
r5434: r162377: shared folders; symlinks behaviour
r5565: Cloud VM list in VirtualBox Manager; show mixed VM types; screenshot from Klaus
r5627: Obfuscate UUID data in screen shot
r5628: Delete legacy cloudvm pic; use mixed VMs example
r5654: Clean up comments in source files; redraft VM activity section
r5672: 7.1 changes; add comments
r5683: 7.1 changes; add comments for Arm topics
r5687: 7.1 changes; GUI; add comments
r5703: Oracle notices; include up to date versions in preface-* topics for User Guide
r5707: r162904: Windows install directory requirements; redraft
r5781: updated GNU version from 2 to 3 as per r163272
r5812: started removal of screenshots and updating tasks VBP-807
r5818: Further updates to creating a VM VBP-807
r5822: Restructured topics and made task based VBP-807
r5824: Removed files during restructure VBP-807
r5834: Fixed formatting of note and caution VBP-807
r5836: Updated supported host OS list VBP-825
r5837: updated USB topics for VBP-823
r5842: changes as per legal request re supported guests VBP-843
r5853: Updated versions following review. VBP-825

Property svn:eol-style set to native
Property svn:keywords set to Author Date Id Revision

File size: 2.6 KB

Line
1	<?xml version='1.0' encoding='UTF-8'?>
2	<!DOCTYPE topic PUBLIC "-//OASIS//DTD DITA Topic//EN" "topic.dtd">
3	<topic xml:lang="en-us" id="buffer-overwriting-mitigation">
4	<title>Buffer Overwriting and Disabling Hyper-Threading</title>
5
6	<body>
7	<p> First, up-to-date CPU microcode is a prerequisite for the buffer overwriting (clearing)
8	mitigations. Some host OSes may install these automatically, though it has traditionally been
9	a task best performed by the system firmware. Please check with your system or mainboard
10	manufacturer for the latest firmware update. </p>
11	<p>
12	This mitigation aims at removing potentially sensitive data
13	from the affected buffers before running guest code. Since
14	this means additional work each time the guest is scheduled,
15	there might be some performance side effects.
16	</p>
17	<p>
18	We recommend disabling hyper-threading (HT) on hosts affected
19	by CVE-2018-12126 and CVE-2018-12127, because the affected
20	sets of buffers are normally shared between thread pairs and
21	therefore cause leaks between the threads. This is
22	traditionally done from the firmware setup, but some OSes also
23	offers ways disable HT. In some cases it may be disabled by
24	default, but please verify as the effectiveness of the
25	mitigation depends on it.
26	</p>
27	<p>
28	The default action taken by <ph conkeyref="vbox-conkeyref-phrases/product-name"/> is to clear the
29	affected buffers when a thread is scheduled to execute guest
30	code, rather than on each VM entry. This reduces the
31	performance impact, while making the assumption that the host
32	OS will not handle security sensitive data from interrupt
33	handlers and similar without taking precautions.
34	</p>
35	<p>
36	The <userinput>VBoxManage modifyvm</userinput> command provides a
37	more aggressive flushing option is provided by means of the
38	<codeph>--mds-clear-on-vm-entry</codeph> option. When enabled
39	the affected buffers will be cleared on every VM entry. The
40	performance impact is greater than with the default option,
41	though this of course depends on the workload. Workloads
42	producing a lot of VM exits (like networking, VGA access, and
43	similiar) will probably be most impacted.
44	</p>
45	<p>
46	For users not concerned by this security issue, the default
47	mitigation can be disabled using the <userinput>VBoxManage
48	modifyvm name --mds-clear-on-sched off</userinput> command.
49	</p>
50	</body>
51
52	</topic>

Note: See TracBrowser for help on using the repository browser.

Download in other formats:

Original Format