Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1

To: Paul Gevers <elbrus@debian.org>, 930797@bugs.debian.org, Ian Jackson <ijackson@chiark.greenend.org.uk>
Subject: Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
From: Hans van Kranenburg <hans@knorrie.org>
Date: Sat, 22 Jun 2019 11:55:26 +0200
Message-id: <[🔎] 1e6dbe37-e322-dbcc-40cb-bc822ca5ca2b@knorrie.org>
Reply-to: Hans van Kranenburg <hans@knorrie.org>, 930797@bugs.debian.org
In-reply-to: <[🔎] 5c2a28b5-8575-7739-68e3-fbac3f2460b3@debian.org>
References: <[🔎] 7f9a6f2d-d9ac-6d9d-06db-f37e1346ff07@knorrie.org> <[🔎] 5c2a28b5-8575-7739-68e3-fbac3f2460b3@debian.org> <[🔎] 7f9a6f2d-d9ac-6d9d-06db-f37e1346ff07@knorrie.org>

Control: tags -1 - moreinfo

Hi Paul,

On 6/21/19 10:02 PM, Paul Gevers wrote:
> Control: tags -1 moreinfo
> 
> Hi Hans,
> 
> On 20-06-2019 21:14, Hans van Kranenburg wrote:
>>   * Note that the fixes for XSA-297 will only have effect when also loading
>>     updated cpu microcode with MD_CLEAR functionality. When using the
>>     intel-microcode package to include microcode in the dom0 initrd, it
>> has to
>>     be loaded by Xen. Please refer to the hypervisor command line
>>     documentation about the 'ucode=scan' option.
> 
> I asked this question recently for another unblock report (not by you)
> as well, but don't you think this is worth mentioning in NEWS? So that
> people that use apt-listchanges are warned about this?

Yes, it surely is. I realized the same thing, but only after the upload
was done.

What do you think about the following (also added as attachment):

https://salsa.debian.org/xen-team/debian-xen/commit/ce3646253ebb7d4834a83a8ee813d7bef9b7ffe2

I'm building it now to see if everything ends up in the right place in
the resulting packages.

Thanks,
Hans

commit ce3646253ebb7d4834a83a8ee813d7bef9b7ffe2 (HEAD -> knorrie/4.11, origin/knorrie/4.11)
Author: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Date:   Sat Jun 22 11:45:34 2019 +0200

    Update to 4.11.1+92-g6c33308a8d-2 with MDS documentation
    
    Following up feedback from the release team, add a NEWS file mentioning
    the MDS mitigations with some instructions, so that it will be more
    visible to people using apt-listchanges.
    
    Mention the ucode option in our default documented set of "usually used
    options", so that users doing a new install will get a hint about the
    existence of this option, and what it does.

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000000..e32955a161
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,20 @@
+xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
+
+    This update contains the mitigations for the Microarchitectural Data
+    Sampling speculative side channel attacks. Only Intel based processors are
+    affected.
+
+    Note that these fixes will only have effect when also loading updated cpu
+    microcode with MD_CLEAR functionality. When using the intel-microcode
+    package to include microcode in the dom0 initrd, it has to be loaded by
+    Xen. Please refer to the hypervisor command line documentation about the
+    'ucode=scan' option.
+
+    For the fixes to be fully effective, it is currently also needed to disable
+    hyper-threading, which can be done in BIOS settings, or by using smt=no on
+    the hypervisor command line.
+
+    Additional information is available in the upstream Xen security advisory:
+    https://xenbits.xen.org/xsa/advisory-297.html
+
+ -- Hans van Kranenburg <hans@knorrie.org>  Tue, 18 Jun 2019 09:50:19 +0200
diff --git a/debian/changelog b/debian/changelog
index 9c64ee1326..4d2fc62b5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high
+
+  * Mention MDS and the need for updated microcode and disabling
+    hyper-threading in NEWS.
+  * Mention the ucode=scan option in the grub.d/xen documentation.
+
+ -- Hans van Kranenburg <hans@knorrie.org>  Sat, 22 Jun 2019 11:15:08 +0200
+
 xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
 
   * Update to new upstream version 4.11.1+92-g6c33308a8d, which also
diff --git a/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg b/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
index e3853c33ca..900c12df5d 100644
--- a/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
+++ b/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
@@ -44,6 +44,11 @@ echo "Including Xen overrides from /etc/default/grub.d/xen.cfg"
 #   Do not automatically reboot after an error. This is useful for catching
 #   debug output.
 #
+# ucode=scan (only for x86)
+#   Scan the multiboot images mentioned in grub configuration for an cpio image
+#   that contains cpu microcode. This enables loading microcode that is stored
+#   in the dom0 initrd.img.
+#
 # Please also refer to the "Xen Hypervisor Command Line Options"
 # documentation for the version of Xen you have installed. This
 # documentation can be found at https://xenbits.xen.org/

Reply to:

Follow-Ups:
- Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
  - From: Paul Gevers <elbrus@debian.org>

References:
- Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
  - From: Hans van Kranenburg <hans@knorrie.org>
- Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Processed: Re: Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
Next by Date: Bug#930812: unblock: cargo/0.35.0-2
Previous by thread: Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
Next by thread: Bug#930797: unblock: xen/4.11.1+92-g6c33308a8d-1
Index(es):
- Date
- Thread