Sarah Newman
2018-Jan-04 19:12 UTC
[CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks
On 01/04/2018 10:49 AM, Akemi Yagi wrote:> On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote: > >> Please patch the CentOS-virt Kernel to fix the >> Kernel Side-Channel Attacks vulnerabilities. >> >> The latest CentOS-virt kernel was released in November, as seen below. >> >> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >> >> https://access.redhat.com/security/vulnerabilities/speculativeexecution >> http://mirror.centos.org/centos/7/virt/x86_64/xen/ >> > > ?As far as I can see, the patches for ? > KAISER (Kernel Address > ? ?Isolation to have Side-channels Efficiently Removed) will appear in > kernel 4.9.75. Looks like it will be released soon upstream (kernel.org). >To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests.
George Dunlap
2018-Jan-05 12:33 UTC
[CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks
On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn at prgmr.com> wrote:> On 01/04/2018 10:49 AM, Akemi Yagi wrote: >> On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote: >> >>> Please patch the CentOS-virt Kernel to fix the >>> Kernel Side-Channel Attacks vulnerabilities. >>> >>> The latest CentOS-virt kernel was released in November, as seen below. >>> >>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >>> >>> https://access.redhat.com/security/vulnerabilities/speculativeexecution >>> http://mirror.centos.org/centos/7/virt/x86_64/xen/ >>> >> >> As far as I can see, the patches for >> KAISER (Kernel Address >> Isolation to have Side-channels Efficiently Removed) will appear in >> kernel 4.9.75. Looks like it will be released soon upstream (kernel.org). >> > > To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests.But it will be important if anyone is running the CentOS kernel in their HVM domUs (as guest kernels can be attacked using SP3 by guest user space without the KPTI patches). I'm sure Johnny will get to it as soon as he has the opportunity. -George
Johnny Hughes
2018-Jan-06 10:09 UTC
[CentOS-virt] CentOS-virt - Kernel Side-Channel Attacks
On 01/05/2018 06:33 AM, George Dunlap wrote:> On Thu, Jan 4, 2018 at 7:12 PM, Sarah Newman <srn at prgmr.com> wrote: >> On 01/04/2018 10:49 AM, Akemi Yagi wrote: >>> On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote: >>> >>>> Please patch the CentOS-virt Kernel to fix the >>>> Kernel Side-Channel Attacks vulnerabilities. >>>> >>>> The latest CentOS-virt kernel was released in November, as seen below. >>>> >>>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >>>> >>>> https://access.redhat.com/security/vulnerabilities/speculativeexecution >>>> http://mirror.centos.org/centos/7/virt/x86_64/xen/ >>>> >>> >>> As far as I can see, the patches for >>> KAISER (Kernel Address >>> Isolation to have Side-channels Efficiently Removed) will appear in >>> kernel 4.9.75. Looks like it will be released soon upstream (kernel.org). >>> >> >> To my best knowledge KAISER doesn't matter for Xen Dom0's given they run in PV mode, and KAISER isn't enabled for PV guests. > > But it will be important if anyone is running the CentOS kernel in > their HVM domUs (as guest kernels can be attacked using SP3 by guest > user space without the KPTI patches). > > I'm sure Johnny will get to it as soon as he has the opportunity.I have just pushed the 4.9.75-29.el7 and 4.9.75-30.el6 kernels to the testing repositories. https://buildlogs.centos.org/centos/7/virt/x86_64/xen/ and https://buildlogs.centos.org/centos/6/virt/x86_64/xen/ xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen) .. el6 has yet to post there, but it is tagged and should show up in a couple hours. The kernel is already there in the el7 trees. We need lots of testing .. the configuration name is now: CONFIG_PAGE_TABLE_ISOLATION=y (instead of CONFIG_KAISER) Please test these kernels so we can release them .. it boots for me as a Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which is how I test before I move the kernels to the testing repos. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos-virt/attachments/20180106/99242c2b/attachment-0002.sig>