[CentOS-virt] Xen 4.4 Immediate EOL

Fri Jan 19 18:39:54 UTC 2018
George Dunlap <dunlapg at umich.edu>

On Fri, Jan 19, 2018 at 12:17 PM, Pasi Kärkkäinen <pasik at iki.fi> wrote:
> On Thu, Jan 18, 2018 at 11:48:35AM -0600, Kevin Stange wrote:
>> Hi,
>>
>
> Hi,
>
>> I am very sorry to do this on short notice, but obviously Meltdown and
>> Spectre are a lot more than anyone was really expecting to come down the
>> pipeline.  Xen 4.4 has been EOL upstream for about a year now and I have
>> personally been reviewing and backporting patches based on the 4.5
>> versions made available upstream.
>>
>> Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
>> harder and I've already taken steps to vacate 4.4 in my own environment
>> ASAP.  Spectre and Meltdown patches most likely will only officially
>> reach 4.6 and are very complicated.  Ultimately, I don't think this is a
>> constructive use of my time.  Therefore, I will NOT be continuing to
>> provide updated Xen 4.4 builds any longer through CentOS Virt SIG.  If
>> someone else would like to take on the job, you're welcome to try.  Pop
>> by #centos-virt on Freenode to talk to us there if you're interested.
>>
>> For short term mitigation of the Meltdown issue on 4.4 with PV domains,
>> your best bet is probably to use the "Vixen" shim solution, which George
>> has put into the xen-44 package repository per his email from two days
>> ago. Vixen allows you to run PV domains inside HVM guest containers.  It
>> does not protect the guest from itself, but protects the domains from
>> each other.  Long term, your best bet is to try to get up to a new
>> version of Xen that is under upstream security support, probably 4.8.
>>
>
> Oracle VM 3.4 product is based on Xen 4.4, and they seem to have backported the fixes already..
>
> It looks like those src.rpms have {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754} fixes included.

Example patch description:

x86/cpuid: Offer Indirect Branch Controls to guests (Andrew Cooper)
[Orabug: 27344753]  {CVE-2017-5753} {CVE-2017-5715} {CVE-2017-5754}

That patch, however, only has to do with 5715, not 5753 or 5754.  It
looks like it's tagged with "Orabug xxx", which covers all three
variants, so their system automatically tags it with all three CVEs.

It looks like they've taken an early version of the SP2 mitigation
(which has been posted publicly), cleaned it up, and backported it
(along with prerequisites).  Official patches are still in progress.

 -George