Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
On 01/18/2018 11:48 AM, Kevin Stange wrote:
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Apparently I failed to do proper due diligence before making this recommendation. The Xen 4.4 repo does not have vixen build because of a dependency upon grub2 which isn't available under CentOS 6. Your best bet would be to use Vixen for PV domains, so if you think that's something you want to do, we need some volunteers to help with packaging and testing. Otherwise, use HVM domains or upgrade to a newer version of Xen. Sorry for this error on my part.
On 01/18/2018 09:56 AM, Kevin Stange wrote:
Apparently I failed to do proper due diligence before making this recommendation. The Xen 4.4 repo does not have vixen build because of a dependency upon grub2 which isn't available under CentOS 6. Your best bet would be to use Vixen for PV domains, so if you think that's something you want to do, we need some volunteers to help with packaging and testing. Otherwise, use HVM domains or upgrade to a newer version of Xen. Sorry for this error on my part.
We have a SPEC file available for grub2: https://github.com/prgmrcom/grub2 you will need epel installed.
On 01/18/2018 02:29 PM, Sarah Newman wrote:
On 01/18/2018 09:56 AM, Kevin Stange wrote:
Apparently I failed to do proper due diligence before making this recommendation. The Xen 4.4 repo does not have vixen build because of a dependency upon grub2 which isn't available under CentOS 6. Your best bet would be to use Vixen for PV domains, so if you think that's something you want to do, we need some volunteers to help with packaging and testing. Otherwise, use HVM domains or upgrade to a newer version of Xen. Sorry for this error on my part.
We have a SPEC file available for grub2: https://github.com/prgmrcom/grub2 you will need epel installed.
Kevin was nice enough to maintain xen-4.4 for a while after the EOL.
If there is anyone who wants to maintain the xen-4.4 tree then they are welcome to do the work and I would be happy to push the updates.
If someone is interested in maintaining the tree ... you need to read and understand the README here:
https://github.com/hughesjr/xen/tree/xen-44
The Xen patchqueue and stg info is there as well.
Anyone want to maintain the xen-44 tree for c6?
There does seem to be a couple people maintaining / Backporting patches now (OpenSUSE and Oracle seem to be). If you get onto the Xen security mailing list (if you are not already on it) .. you can work with those 2 and maybe others to maintain the xen-44 tree.
If not, we will move the xen-4.4 tree to vault at the next point release time (CentOS 6.10) .. or maybe moved to vault sooner.
Thanks, Johnny Hughes
On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
Hi,
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.e... http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.e...
-- Pasi
-- Kevin Stange Chief Technology Officer Steadfast | Managed Infrastructure, Datacenter and Cloud Services 800 S Wells, Suite 190 | Chicago, IL 60607 312.602.2689 X203 | Fax: 312.602.2688 kevin@steadfast.net | www.steadfast.net
On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote:
On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
Hi,
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.e... http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.e...
That's impressive but dubious as Xen has not released any fixes for CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet.
On 19/01/18 17:58, Kevin Stange wrote:
On 01/19/2018 06:17 AM, Pasi Kärkkäinen wrote:
On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
Hi,
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/thread.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000816.html https://oss.oracle.com/pipermail/oraclevm-errata/2018-January/000817.html
http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-155.0.12.e... http://oss.oracle.com/oraclevm/server/3.4/SRPMS-updates/xen-4.4.4-105.0.30.e...
That's impressive but dubious as Xen has not released any fixes for CVE-2017-5753 or CVE-2017-5715 even for 4.10 yet.
It's not that dubious since its mainly Konrad Wilk and Boris Ostrovsky that have been doing most of that :)
OracleVM also has a grub2 backport although I haven't really looked at that.
jch
On Fri, Jan 19, 2018 at 12:17 PM, Pasi Kärkkäinen pasik@iki.fi wrote:
On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
Hi,
Hi,
I am very sorry to do this on short notice, but obviously Meltdown and Spectre are a lot more than anyone was really expecting to come down the pipeline. Xen 4.4 has been EOL upstream for about a year now and I have personally been reviewing and backporting patches based on the 4.5 versions made available upstream.
Given that 4.5 is now also reaching EOL, backporting to 4.4 will become harder and I've already taken steps to vacate 4.4 in my own environment ASAP. Spectre and Meltdown patches most likely will only officially reach 4.6 and are very complicated. Ultimately, I don't think this is a constructive use of my time. Therefore, I will NOT be continuing to provide updated Xen 4.4 builds any longer through CentOS Virt SIG. If someone else would like to take on the job, you're welcome to try. Pop by #centos-virt on Freenode to talk to us there if you're interested.
For short term mitigation of the Meltdown issue on 4.4 with PV domains, your best bet is probably to use the "Vixen" shim solution, which George has put into the xen-44 package repository per his email from two days ago. Vixen allows you to run PV domains inside HVM guest containers. It does not protect the guest from itself, but protects the domains from each other. Long term, your best bet is to try to get up to a new version of Xen that is under upstream security support, probably 4.8.
Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.
Example patch description:
x86/cpuid: Offer Indirect Branch Controls to guests (Andrew Cooper) [Orabug: 27344753] {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754}
That patch, however, only has to do with 5715, not 5753 or 5754. It looks like it's tagged with "Orabug xxx", which covers all three variants, so their system automatically tags it with all three CVEs.
It looks like they've taken an early version of the SP2 mitigation (which has been posted publicly), cleaned it up, and backported it (along with prerequisites). Official patches are still in progress.
-George
-
George Dunlap -
John Haxby -
Johnny Hughes -
Kevin Stange -
Pasi Kärkkäinen -
Sarah Newman