On 01/05/2018 06:33 AM, George Dunlap wrote: > On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn@xxxxxxxxx> wrote: >> On 01/04/2018 10:49 AM, Akemi Yagi wrote: >>> On Thu, Jan 4, 2018 at 9:51 AM, <rikske@xxxxxxx> wrote: >>> >>>> Please patch the CentOS-virt Kernel to fix the >>>> Kernel Side-Channel Attacks vulnerabilities. >>>> >>>> The latest CentOS-virt kernel was released in November, as seen below. >>>> >>>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >>>> >>>> https://access.redhat.com/security/vulnerabilities/speculativeexecution >>>> http://mirror.centos.org/centos/7/virt/x86_64/xen/ >>>> >>> >>> As far as I can see, the patches for >>> KAISER (Kernel Address >>> Isolation to have Side-channels Efficiently Removed) will appear in >>> kernel 4.9.75. Looks like it will be released soon upstream (kernel.org). >>> >> >> To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests. > > But it will be important if anyone is running the CentOS kernel in > their HVM domUs (as guest kernels can be attacked using SP3 by guest > user space without the KPTI patches). > > I'm sure Johnny will get to it as soon as he has the opportunity. I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the testing repositories. https://buildlogs.centos.org/centos/7/virt/x86_64/xen/ and https://buildlogs.centos.org/centos/6/virt/x86_64/xen/ xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen) .. el6 has yet to post there, but it is tagged and should show up in a couple hours. The kernel is already there in the el7 trees. We need lots of testing .. the configuration name is now: CONFIG_PAGE_TABLE_ISOLATION=y (instead of CONFIG_KAISER) Please test these kernels so we can release them .. it boots for me as a Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which is how I test before I move the kernels to the testing repos.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS-virt mailing list CentOS-virt@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos-virt
