[Qemu-devel] [qemu-web PATCH] improved phrasing regarding Meltdown and live migration

[Paolo Bonzini]

---
 _posts/2018-01-04-spectre.md | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/_posts/2018-01-04-spectre.md b/_posts/2018-01-04-spectre.md
index 5bbc7ed..ca11324 100644
--- a/_posts/2018-01-04-spectre.md
+++ b/_posts/2018-01-04-spectre.md
@@ -13,11 +13,13 @@ named _Meltdown_ and _Spectre_, affect in one way or 
another almost
 all processors that perform out-of-order execution, including x86 (from
 Intel and AMD), POWER, s390 and ARM processors.
 
-No microcode updates are required to block the _Meltdown_ attack; it is
-enough to update the guest operating system to a version that separates
-the user and kernel address spaces (known as _page table isolation_ for
-the Linux kernel).  Therefore, this post will focus on _Spectre_, and
-especially on 
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715).
+No microcode updates are required to block the _Meltdown_ attack.  In
+addition, the _Meltdown_ flaw does not allow a malicious guest to read the
+contents of hypervisor memory.  Fixing it only requires that the operating
+system separates the user and kernel address spaces (known as _page table
+isolation_ for the Linux kernel), which can be done separately on the host
+and the guests.  Therefore, this post will focus on _Spectre_, and especially
+on 
[CVE-2017-5715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715).
 
 Fixing or mitigating _Spectre_ in general, and CVE-2017-5715 in particular,
 requires cooperation between the processor and the operating system kernel or
@@ -52,9 +54,10 @@ host from malicious guests__.  Nevertheless, updates will be 
posted to the
 qemu-devel mailing list in the next few days, and a 2.11.1 patch release
 will be released with the fix.
 
-Once updates are provided, __live migration will not be enough to protect
-guest kernel from guest userspace__.  Because the virtual CPU has to be
-changed to one with the new CPUID bits, the guest will have to be restarted.
+Once updates are provided, __live migration to an updated version of
+QEMU will not be enough to protect guest kernel from guest userspace__.
+Because the virtual CPU has to be changed to one with the new CPUID bits,
+the guest will have to be restarted.
 
 As of today, the QEMU project is not aware of whether similar changes will
 be required for non-x86 processors.  If so, they will also posted to the
@@ -67,4 +70,5 @@ 
Zero](https://googleprojectzero.blogspot.it/2018/01/reading-privileged-memory-wi
 posts on the topic, as well as the [Spectre and Meltdown 
FAQ](https://meltdownattack.com/#faq).
 
 __5 Jan 2018__: clarified the level of protection provided by the host kernel
-update; added a note on live migration.
+update; added a note on live migration; clarified the impact of Meltdown on
+virtualization hosts
-- 
2.14.3