[CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks
Johnny Hughes
johnny at centos.org
Sat Jan 6 10:09:12 UTC 2018
On 01/05/2018 06:33 AM, George Dunlap wrote:
> On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn at prgmr.com> wrote:
>> On 01/04/2018 10:49 AM, Akemi Yagi wrote:
>>> On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote:
>>>
>>>> Please patch the CentOS-virt Kernel to fix the
>>>> Kernel Side-Channel Attacks vulnerabilities.
>>>>
>>>> The latest CentOS-virt kernel was released in November, as seen below.
>>>>
>>>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30
>>>>
>>>> https://access.redhat.com/security/vulnerabilities/speculativeexecution
>>>> http://mirror.centos.org/centos/7/virt/x86_64/xen/
>>>>
>>>
>>> As far as I can see, the patches for
>>> KAISER (Kernel Address
>>> Isolation to have Side-channels Efficiently Removed) will appear in
>>> kernel 4.9.75. Looks like it will be released soon upstream (kernel.org).
>>>
>>
>> To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests.
>
> But it will be important if anyone is running the CentOS kernel in
> their HVM domUs (as guest kernels can be attacked using SP3 by guest
> user space without the KPTI patches).
>
> I'm sure Johnny will get to it as soon as he has the opportunity.
I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the
testing repositories.
https://buildlogs.centos.org/centos/7/virt/x86_64/xen/
and
https://buildlogs.centos.org/centos/6/virt/x86_64/xen/
xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen)
.. el6 has yet to post there, but it is tagged and should show up in a
couple hours. The kernel is already there in the el7 trees.
We need lots of testing .. the configuration name is now:
CONFIG_PAGE_TABLE_ISOLATION=y
(instead of CONFIG_KAISER)
Please test these kernels so we can release them .. it boots for me as a
Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which
is how I test before I move the kernels to the testing repos.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180106/99242c2b/attachment.sig>
More information about the CentOS-virt
mailing list