Kvm Disabled for Security

     Tekexplore has published an exploit that uses a hardware fault in Intel processors in combination with kvm, a daemon that finds memory pages with the same content on multiple virtual machines and merges them into one to save memory on the host machine marking that page copy on write so that in theory when it is written a copy is made and the original left alone so it doesn’t affect other virtual machines sharing that page.

     Apparently it is possible to alter a single bit in a page and not trip the copy on write and by altering just a single bit in ssh keys, it is possible to weaken ssh considerably allowing it to be compromised.

     I have turned off kvm on our machines.  It is of limited use in our environment because our servers are not overcommitted and thus the only thing freed up shared pages does is provide more memory for disk caching.  I monitored the logs for some time and found that this was infrequent and so we were getting little performance benefit.