[CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks

Mon Jan 8 19:37:37 UTC 2018
Shaun Reitan <shaun.reitan at ndchost.com>

4.9.75-30 works in my dev environment for CentOS 6.

[root at devhost1 ~]# uname -a
Linux devhost1.servers.provps.com 4.9.75-30.el6.x86_64 #1 SMP Fri Jan 5 
20:58:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux


--
Shaun Reitan
NDCHost.com

------ Original Message ------
From: "Johnny Hughes" <johnny at centos.org>
To: centos-virt at centos.org
Sent: 2018-01-06 02:09:12 AM
Subject: Re: [CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks

>On 01/05/2018 06:33 AM, George Dunlap wrote:
>>On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn at prgmr.com> wrote:
>>>On 01/04/2018 10:49 AM, Akemi Yagi wrote:
>>>>On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote:
>>>>
>>>>>Please patch the CentOS-virt Kernel to fix the
>>>>>Kernel Side-Channel Attacks vulnerabilities.
>>>>>
>>>>>The latest CentOS-virt kernel was released in November, as seen 
>>>>>below.
>>>>>
>>>>>kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30
>>>>>
>>>>>https://access.redhat.com/security/vulnerabilities/speculativeexecution
>>>>>http://mirror.centos.org/centos/7/virt/x86_64/xen/
>>>>>
>>>>
>>>>As far as I can see, the patches for
>>>>KAISER (Kernel Address
>>>>Isolation to have Side-channels Efficiently Removed) will appear in
>>>>kernel 4.9.75. Looks like it will be released soon upstream 
>>>>(kernel.org).
>>>>
>>>
>>>To my best knowledge KAISER doesn't matter for Xen Dom0's given they 
>>>run in PV mode, and KAISER isn't enabled for PV guests.
>>
>>But it will be important if anyone is running the CentOS kernel in
>>their HVM domUs (as guest kernels can be attacked using SP3 by guest
>>user space without the KPTI patches).
>>
>>I'm sure Johnny will get to it as soon as he has the opportunity.
>
>I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the
>testing repositories.
>
>
>https://buildlogs.centos.org/centos/7/virt/x86_64/xen/
>
>and
>
>https://buildlogs.centos.org/centos/6/virt/x86_64/xen/
>
>xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just 
>xen)
>.. el6 has yet to post there, but it is tagged and should show up in a
>couple hours. The kernel is already there in the el7 trees.
>
>We need lots of testing .. the configuration name is now:
>
>CONFIG_PAGE_TABLE_ISOLATION=y
>
>(instead of CONFIG_KAISER)
>
>Please test these kernels so we can release them .. it boots for me as 
>a
>Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which
>is how I test before I move the kernels to the testing repos.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180108/a230d404/attachment-0006.html>