4.9.75-30 works in my dev environment for CentOS 6. [root at devhost1 ~]# uname -a Linux devhost1.servers.provps.com 4.9.75-30.el6.x86_64 #1 SMP Fri Jan 5 20:58:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux -- Shaun Reitan NDCHost.com ------ Original Message ------ From: "Johnny Hughes" <johnny at centos.org> To: centos-virt at centos.org Sent: 2018-01-06 02:09:12 AM Subject: Re: [CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks >On 01/05/2018 06:33 AM, George Dunlap wrote: >>On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn at prgmr.com> wrote: >>>On 01/04/2018 10:49 AM, Akemi Yagi wrote: >>>>On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote: >>>> >>>>>Please patch the CentOS-virt Kernel to fix the >>>>>Kernel Side-Channel Attacks vulnerabilities. >>>>> >>>>>The latest CentOS-virt kernel was released in November, as seen >>>>>below. >>>>> >>>>>kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >>>>> >>>>>https://access.redhat.com/security/vulnerabilities/speculativeexecution >>>>>http://mirror.centos.org/centos/7/virt/x86_64/xen/ >>>>> >>>> >>>>As far as I can see, the patches for >>>>KAISER (Kernel Address >>>>Isolation to have Side-channels Efficiently Removed) will appear in >>>>kernel 4.9.75. Looks like it will be released soon upstream >>>>(kernel.org). >>>> >>> >>>To my best knowledge KAISER doesn't matter for Xen Dom0's given they >>>run in PV mode, and KAISER isn't enabled for PV guests. >> >>But it will be important if anyone is running the CentOS kernel in >>their HVM domUs (as guest kernels can be attacked using SP3 by guest >>user space without the KPTI patches). >> >>I'm sure Johnny will get to it as soon as he has the opportunity. > >I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the >testing repositories. > > >https://buildlogs.centos.org/centos/7/virt/x86_64/xen/ > >and > >https://buildlogs.centos.org/centos/6/virt/x86_64/xen/ > >xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just >xen) >.. el6 has yet to post there, but it is tagged and should show up in a >couple hours. The kernel is already there in the el7 trees. > >We need lots of testing .. the configuration name is now: > >CONFIG_PAGE_TABLE_ISOLATION=y > >(instead of CONFIG_KAISER) > >Please test these kernels so we can release them .. it boots for me as >a >Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which >is how I test before I move the kernels to the testing repos. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180108/a230d404/attachment-0006.html>