On Thu, 2018-10-25 at 11:32 +0200, Peter Dreuw wrote: > Am 25.10.18 um 10:08 schrieb Peter Dreuw: > > Am 24.10.18 um 20:34 schrieb Antoine Beaupré: > > > > I am not sure if this can be done with Xen 4.4 - at least not to a level > > > > of a 100% solution. Looking into the upstream code for e.g. 4.6 there > > > > are many changes that would need to be considered. I am thinking of > > > > this, currently, yes. The same goes to > > > > > > > > > > > > XSA 263 / CVE-2018-3639 > > > > > > > > XSA 267 / CVE-2018-3665 > > > > > > > > XSA 273 / CVE-2018-3620,CVE-2018-3646 > > > > > > > > The upstream fixes for these XSA rely on the XSA 254 work already done. > > > > So getting xsa 263/267/273 fixed would need to adapt much of the work > > > > done for xsa 254. > > > Right. It's a huge challenge and sensitive if not confusing code. > > yes, it is. I think it will be doable but I have no real idea how mich > > time this would consume. > > may one point to make it clear, tho it might be obvious to most of you: > > We can apply fixes to the original Xen 4.4 version and have done > everything possible - without a fixed kernel, there is no mitigation of > spectre/meltdown. By "kernel", do you mean the Xen kernel or the guest kernel? The Linux kernel in jessie does have mitigations for Meltdown (amd64 only), Spectre variants 1 and 2, and several other speculation issues. The non-free section for jessie also has the new microcode for Intel processors. > The same applies to any other virtualization solution. > So people have to work with a more recent Kernel or live with unfixed > spectre/meltdown issues. If you are using a backports kernel, you might > be willing to use a backports Xen package, too. The backports suites aren't supported during the LTS period. So if we provide a newer Xen for jessie it will need to be as an additional source package, and that must not build any binary packages that are built from the "xen" source package. I did this for the Linux kernel by adding the "linux-4.9" source package. Ben. > From my perspective, looking into these fixes for 4.4 is more future > oriented;) There are already some fixes for more recent XSA like XSA > 263, 267 and 273, which partly depend on the code introduced with the > various XSA 254 fixes. -- Ben Hutchings The obvious mathematical breakthrough [to break modern encryption] would be development of an easy way to factor large prime numbers. - Bill Gates
Attachment:
signature.asc
Description: This is a digitally signed message part