On 01/18/2018 11:48 AM, Kevin Stange wrote:
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Apparently I failed to do proper due diligence before making this recommendation. The Xen 4.4 repo does not have vixen build because of a dependency upon grub2 which isn't available under CentOS 6. Your best bet would be to use Vixen for PV domains, so if you think that's something you want to do, we need some volunteers to help with packaging and testing. Otherwise, use HVM domains or upgrade to a newer version of Xen. Sorry for this error on my part.