On Thu, 2018-10-25 at 11:32 +0200, Peter Dreuw wrote:
> Am 25.10.18 um 10:08 schrieb Peter Dreuw:
> > Am 24.10.18 um 20:34 schrieb Antoine Beaupré:
> > > > I am not sure if this can be done with Xen 4.4 - at least not to a level
> > > > of a 100% solution. Looking into the upstream code for e.g. 4.6 there
> > > > are many changes that would need to be considered. I am thinking of
> > > > this, currently, yes. The same goes to
> > > >
> > > >
> > > > XSA 263 / CVE-2018-3639
> > > >
> > > > XSA 267 / CVE-2018-3665
> > > >
> > > > XSA 273 / CVE-2018-3620,CVE-2018-3646
> > > >
> > > > The upstream fixes for these XSA rely on the XSA 254 work already done.
> > > > So getting xsa 263/267/273 fixed would need to adapt much of the work
> > > > done for xsa 254.
> > > Right. It's a huge challenge and sensitive if not confusing code.
> > yes, it is. I think it will be doable but I have no real idea how mich
> > time this would consume.
>
> may one point to make it clear, tho it might be obvious to most of you:
>
> We can apply fixes to the original Xen 4.4 version and have done
> everything possible - without a fixed kernel, there is no mitigation of
> spectre/meltdown.
By "kernel", do you mean the Xen kernel or the guest kernel? The Linux
kernel in jessie does have mitigations for Meltdown (amd64 only),
Spectre variants 1 and 2, and several other speculation issues.
The non-free section for jessie also has the new microcode for Intel
processors.
> The same applies to any other virtualization solution.
> So people have to work with a more recent Kernel or live with unfixed
> spectre/meltdown issues. If you are using a backports kernel, you might
> be willing to use a backports Xen package, too.
The backports suites aren't supported during the LTS period. So if we
provide a newer Xen for jessie it will need to be as an additional
source package, and that must not build any binary packages that are
built from the "xen" source package. I did this for the Linux kernel
by adding the "linux-4.9" source package.
Ben.
> From my perspective, looking into these fixes for 4.4 is more future
> oriented;) There are already some fixes for more recent XSA like XSA
> 263, 267 and 273, which partly depend on the code introduced with the
> various XSA 254 fixes.
--
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption]
would be development of an easy way to factor large prime numbers.
- Bill Gates
Attachment:
signature.asc
Description: This is a digitally signed message part