Re: CentOS-virt - Kernel Side-Channel Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/05/2018 06:33 AM, George Dunlap wrote:
> On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn@xxxxxxxxx> wrote:
>> On 01/04/2018 10:49 AM, Akemi Yagi wrote:
>>> On Thu, Jan 4, 2018 at 9:51 AM, <rikske@xxxxxxx> wrote:
>>>
>>>> Please patch the CentOS-virt Kernel to fix the
>>>> Kernel Side-Channel Attacks vulnerabilities.
>>>>
>>>> The latest CentOS-virt kernel was released in November, as seen below.
>>>>
>>>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30
>>>>
>>>> https://access.redhat.com/security/vulnerabilities/speculativeexecution
>>>> http://mirror.centos.org/centos/7/virt/x86_64/xen/
>>>>
>>>
>>> As far as I can see, the patches for
>>> KAISER (Kernel Address
>>> Isolation to have Side-channels Efficiently Removed) will appear in
>>> kernel 4.9.75. Looks like it will be released soon upstream (kernel.org).
>>>
>>
>> To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests.
> 
> But it will be important if anyone is running the CentOS kernel in
> their HVM domUs (as guest kernels can be attacked using SP3 by guest
> user space without the KPTI patches).
> 
> I'm sure Johnny will get to it as soon as he has the opportunity.

I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the
testing repositories.


https://buildlogs.centos.org/centos/7/virt/x86_64/xen/

and

https://buildlogs.centos.org/centos/6/virt/x86_64/xen/

xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen)
.. el6 has yet to post there, but it is tagged and should show up in a
couple hours.  The kernel is already there in the el7 trees.

We need lots of testing .. the configuration name is now:

CONFIG_PAGE_TABLE_ISOLATION=y

(instead of CONFIG_KAISER)

Please test these kernels so we can release them .. it boots for me as a
Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which
is how I test before I move the kernels to the testing repos.


Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS-virt mailing list
CentOS-virt@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos-virt

[Index of Archives]     [CentOS Users]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [X.org]     [Xfree86]     [Linux USB]

  Powered by Linux