top | item 46445471

(no title)

boulos | 2 months ago

Disclosure: I used to work on GCE.

Nice write up and very clever work. I'm surprised by the AWS response that you linked to though (https://aws.amazon.com/blogs/security/ec2-defenses-against-l...).

While I was sure they'd note that Nitro doesn't have this vulnerability due to its design, it seems weird not to talk about Firecracker and Lambda and so on. Maybe those are always on Cascadelake+ hardware? (I also haven't followed this space for 5 years, so maybe I'm asking the wrong question)

discuss

thijsr|2 months ago

We've only verified EC2 during our research, but you do make a good point here. Nitro wasn't vulnerable. Firecracker might have been, considering that it is also built on top of KVM. Firecracker was not specifically designed to also defend against hardware vulnerabilities [1], so I don't see an immediate reason why it wouldn't have worked.

We had to limit the scope of the project somewhere unfortunately, but it would have been nice to check Firecracker and Lambda as well.

[1] https://github.com/firecracker-microvm/firecracker/blob/main...