Re: CVE-2017-5754 - XEN silent_disable?
On Fri, 12 Jan 2018, Vincent Lefevre wrote:
> But I think I've found the reason:
>
> In arch/x86/mm/kaiser.c:
>
> void __init kaiser_check_boottime_disable(void)
> {
> [...]
> if (boot_cpu_has(X86_FEATURE_XENPV))
> goto silent_disable;
> [...]
> disable:
> pr_info("disabled\n");
>
> silent_disable:
> kaiser_enabled = 0;
> setup_clear_cpu_cap(X86_FEATURE_KAISER);
> }
>
> I must be in the "silent_disable" case (this is a Xen guest).
>
> It's unfortunate that no-one mentions this case!
>
It is an unfortunate situation all around, no doubt! I did a quick
websearch and found contrary opinions about whether Xen paravirtualization
is affected or not, whether a patched server and a patched guest is
necessary, and to what degree patching one or the other protects either,
and from whom.
Very unfortunate.
Reply to: