[CentOS-virt] Xen 4.4 Immediate EOL

Thu Jan 18 17:48:35 UTC 2018
Kevin Stange <kevin at steadfast.net>

Hi,

I am very sorry to do this on short notice, but obviously Meltdown and
Spectre are a lot more than anyone was really expecting to come down the
pipeline.  Xen 4.4 has been EOL upstream for about a year now and I have
personally been reviewing and backporting patches based on the 4.5
versions made available upstream.

Given that 4.5 is now also reaching EOL, backporting to 4.4 will become
harder and I've already taken steps to vacate 4.4 in my own environment
ASAP.  Spectre and Meltdown patches most likely will only officially
reach 4.6 and are very complicated.  Ultimately, I don't think this is a
constructive use of my time.  Therefore, I will NOT be continuing to
provide updated Xen 4.4 builds any longer through CentOS Virt SIG.  If
someone else would like to take on the job, you're welcome to try.  Pop
by #centos-virt on Freenode to talk to us there if you're interested.

For short term mitigation of the Meltdown issue on 4.4 with PV domains,
your best bet is probably to use the "Vixen" shim solution, which George
has put into the xen-44 package repository per his email from two days
ago. Vixen allows you to run PV domains inside HVM guest containers.  It
does not protect the guest from itself, but protects the domains from
each other.  Long term, your best bet is to try to get up to a new
version of Xen that is under upstream security support, probably 4.8.

-- 
Kevin Stange
Chief Technology Officer
Steadfast | Managed Infrastructure, Datacenter and Cloud Services
800 S Wells, Suite 190 | Chicago, IL 60607
312.602.2689 X203 | Fax: 312.602.2688
kevin at steadfast.net | www.steadfast.net