Displaying 20 results from an estimated 25 matches for "config_page_table_isol".
2018 Jan 06
1
CentOS-virt - Kernel Side-Channel Attacks
...tos.org/centos/6/virt/x86_64/xen/
xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen)
.. el6 has yet to post there, but it is tagged and should show up in a
couple hours. The kernel is already there in the el7 trees.
We need lots of testing .. the configuration name is now:
CONFIG_PAGE_TABLE_ISOLATION=y
(instead of CONFIG_KAISER)
Please test these kernels so we can release them .. it boots for me as a
Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which
is how I test before I move the kernels to the testing repos.
-------------- next part --------------
A non-text att...
2018 Jan 06
2
Centos 7 Kernel 3.10.0-693.11.6.el7.x86_64 does not boot PV
...po file at the BOTTOM of this wiki page that you can use to
enable the experimental repo:
https://wiki.centos.org/SpecialInterestGroup/AltArch/i386
That experimental repo file will work for x86_64 or i386 installs and
the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel
has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be
CONFIG_KAISER .. and still is in the Red Hat released kernels).
You could also use the Dom0 kernels from the Xen repo as DomU kernels
for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in
the testing repo and waiting for tests to release.
Thanks,...
2018 Jan 09
1
Centos 7 Kernel 3.10.0-693.11.6.el7.x86_64 does not boot PV
...> enable the experimental repo:
>> ?
>> https://wiki.centos.org/SpecialInterestGroup/AltArch/i386
>> ?
>> That experimental repo file will work for x86_64 or i386 installs and
>> the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel
>> has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be
>> CONFIG_KAISER .. and still is in the Red Hat released kernels).
>> ?
>> You could also use the Dom0 kernels from the Xen repo as DomU kernels
>> for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in
>> the testing rep...
2020 Jul 14
0
[PATCH v4 14/75] x86/boot/compressed/64: Add page-fault handler
...t a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c
index d9932a133ac9..e3d980ae9c2b 100644
--- a/arch/x86/boot/compressed/ident_map_64.c
+++ b/arch/x86/boot/compressed/ident_map_64.c
@@ -19,10 +19,13 @@
/* No PAGE_TABLE_ISOLATION support needed either: */
#undef CONFIG_PAGE_TABLE_ISOLATION
+#include "error.h"
#include "misc.h"
/* These actually do the work of building the kernel identity maps. */
#include <linux/pgtable.h>
+#include <asm/trap_pf.h>
+#include <asm/trapnr.h>
#include <asm/init.h>
/* Use the static base for this...
2020 Apr 02
0
[PATCH 14/70] x86/boot/compressed/64: Add page-fault handler
...dent_map_64.c b/arch/x86/boot/compressed/ident_map_64.c
> index 3a2115582920..0865d181b85d 100644
> --- a/arch/x86/boot/compressed/ident_map_64.c
> +++ b/arch/x86/boot/compressed/ident_map_64.c
> @@ -19,11 +19,13 @@
> /* No PAGE_TABLE_ISOLATION support needed either: */
> #undef CONFIG_PAGE_TABLE_ISOLATION
>
> +#include "error.h"
> #include "misc.h"
>
> /* These actually do the work of building the kernel identity maps. */
> #include <asm/init.h>
> #include <asm/pgtable.h>
> +#include <asm/trap_defs.h>
> /* Use the static...
2018 Jan 04
2
CentOS-virt - Kernel Side-Channel Attacks
On 01/04/2018 10:49 AM, Akemi Yagi wrote:
> On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote:
>
>> Please patch the CentOS-virt Kernel to fix the
>> Kernel Side-Channel Attacks vulnerabilities.
>>
>> The latest CentOS-virt kernel was released in November, as seen below.
>>
>> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30
>>
2018 Jan 08
0
Centos 7 Kernel 3.10.0-693.11.6.el7.x86_64 does not boot PV
...ki page that you can use
>to
>enable the experimental repo:
>
>https://wiki.centos.org/SpecialInterestGroup/AltArch/i386
>
>That experimental repo file will work for x86_64 or i386 installs and
>the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel
>has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be
>CONFIG_KAISER .. and still is in the Red Hat released kernels).
>
>You could also use the Dom0 kernels from the Xen repo as DomU kernels
>for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in
>the testing repo and waiting for tests to...
2018 Jan 06
2
Centos 7 Kernel 3.10.0-693.11.6.el7.x86_64 does not boot PV
Broken!
[ 0.000000] Initializing cgroup subsys cpuset
[ 0.000000] Initializing cgroup subsys cpu
[ 0.000000] Initializing cgroup subsys cpuacct
[ 0.000000] Linux version 3.10.0-693.11.6.el7.x86_64
(builder at kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat
4.8.5-16) (GCC) ) #1 SMP Thu Jan 4 01:06:37 UTC 2018
[ 0.000000] Command line: root=/dev/xvda ro
2020 Jan 22
0
mmotm 2020-01-21-13-28 uploaded (nouveau)
...f File systems
#
# Security options
#
CONFIG_KEYS=y
CONFIG_KEYS_REQUEST_CACHE=y
# CONFIG_PERSISTENT_KEYRINGS is not set
CONFIG_BIG_KEYS=y
# CONFIG_TRUSTED_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_SECURITY_DMESG_RESTRICT is not set
CONFIG_SECURITYFS=y
# CONFIG_PAGE_TABLE_ISOLATION is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
# CONFIG_HARDENED_USERCOPY is not set
# CONFIG_FORTIFY_SOURCE is not set
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="lockdown,yama,loadpin,...
2020 Apr 15
2
linux-next: Tree for Apr 15 (vdpa)
...ile systems
#
# Security options
#
CONFIG_KEYS=y
CONFIG_KEYS_REQUEST_CACHE=y
# CONFIG_PERSISTENT_KEYRINGS is not set
CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_KEY_NOTIFICATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_FORTIFY_SOURCE is not set
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
# CONF...
2020 Apr 15
2
linux-next: Tree for Apr 15 (vdpa)
...ile systems
#
# Security options
#
CONFIG_KEYS=y
CONFIG_KEYS_REQUEST_CACHE=y
# CONFIG_PERSISTENT_KEYRINGS is not set
CONFIG_ENCRYPTED_KEYS=m
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_KEY_NOTIFICATIONS is not set
# CONFIG_SECURITY_DMESG_RESTRICT is not set
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
CONFIG_PAGE_TABLE_ISOLATION=y
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
# CONFIG_HARDENED_USERCOPY_FALLBACK is not set
CONFIG_HARDENED_USERCOPY_PAGESPAN=y
# CONFIG_FORTIFY_SOURCE is not set
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
# CONF...
2018 Feb 02
0
[fw_cfg] c8bf448ff3: kernel_BUG_at_arch/x86/mm/physaddr.c
...curity options
#
CONFIG_KEYS=y
CONFIG_KEYS_COMPAT=y
# CONFIG_PERSISTENT_KEYRINGS is not set
# CONFIG_BIG_KEYS is not set
# CONFIG_TRUSTED_KEYS is not set
CONFIG_ENCRYPTED_KEYS=m
# CONFIG_KEY_DH_OPERATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
# CONFIG_PAGE_TABLE_ISOLATION is not set
CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_HARDENED_USERCOPY_PAGESPAN=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_STATIC_USERMODEHELPER=y
CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper"
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_DEFAULT_SECURITY=&...
2020 Jan 16
0
linux-next: Tree for Jan 16 (drivers/gpu/drm/nouveau/nvkm/subdev/ltc/gp10b.c)
...ions
#
CONFIG_KEYS=y
# CONFIG_KEYS_REQUEST_CACHE is not set
CONFIG_PERSISTENT_KEYRINGS=y
# CONFIG_BIG_KEYS is not set
# CONFIG_ENCRYPTED_KEYS is not set
CONFIG_KEY_DH_OPERATIONS=y
# CONFIG_KEY_NOTIFICATIONS is not set
CONFIG_SECURITY_DMESG_RESTRICT=y
# CONFIG_SECURITY is not set
CONFIG_SECURITYFS=y
CONFIG_PAGE_TABLE_ISOLATION=y
# CONFIG_FORTIFY_SOURCE is not set
# CONFIG_STATIC_USERMODEHELPER is not set
CONFIG_DEFAULT_SECURITY_DAC=y
CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity"
#
# Kernel hardening options
#
#
# Memory initialization
#
CONFIG_INIT_STACK_NONE=y
# CONFIG_INIT_ON_ALLOC_DEFAULT_ON...
2020 Jul 21
17
[PATCH 00/10] RFC: move logical block size checking to the block core
This patch series aims to move the logical block size checking to the
block code.
This was inspired by missing check for valid logical block size in
virtio-blk which causes the kernel to crash in a weird way later on
when it is invalid.
I added blk_is_valid_logical_block_size which returns true iff the
block size is one of supported sizes.
I added this check to virtio-blk, and also converted
2020 Jul 21
17
[PATCH 00/10] RFC: move logical block size checking to the block core
This patch series aims to move the logical block size checking to the
block code.
This was inspired by missing check for valid logical block size in
virtio-blk which causes the kernel to crash in a weird way later on
when it is invalid.
I added blk_is_valid_logical_block_size which returns true iff the
block size is one of supported sizes.
I added this check to virtio-blk, and also converted
2020 Apr 28
116
[PATCH v3 00/75] x86: SEV-ES Guest Support
Hi,
here is the next version of changes to enable Linux to run as an SEV-ES
guest. The code was rebased to v5.7-rc3 and got a fair number of changes
since the last version.
What is SEV-ES
==============
SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted
State' and means a hardware feature of AMD processors which hides the
register state of VCPUs to the hypervisor by
2020 Apr 28
116
[PATCH v3 00/75] x86: SEV-ES Guest Support
Hi,
here is the next version of changes to enable Linux to run as an SEV-ES
guest. The code was rebased to v5.7-rc3 and got a fair number of changes
since the last version.
What is SEV-ES
==============
SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted
State' and means a hardware feature of AMD processors which hides the
register state of VCPUs to the hypervisor by
2020 Feb 11
83
[RFC PATCH 00/62] Linux as SEV-ES Guest Support
Hi,
here is the first public post of the patch-set to enable Linux to run
under SEV-ES enabled hypervisors. The code is mostly feature-complete,
but there are still a couple of bugs to fix. Nevertheless, given the
size of the patch-set, I think it is about time to ask for initial
feedback of the changes that come with it. To better understand the code
here is a quick explanation of SEV-ES first.
2020 Feb 11
83
[RFC PATCH 00/62] Linux as SEV-ES Guest Support
Hi,
here is the first public post of the patch-set to enable Linux to run
under SEV-ES enabled hypervisors. The code is mostly feature-complete,
but there are still a couple of bugs to fix. Nevertheless, given the
size of the patch-set, I think it is about time to ask for initial
feedback of the changes that come with it. To better understand the code
here is a quick explanation of SEV-ES first.
2020 Jul 24
86
[PATCH v5 00/75] x86: SEV-ES Guest Support
From: Joerg Roedel <jroedel at suse.de>
Hi,
here is a rebased version of the latest SEV-ES patches. They are now
based on latest tip/master instead of upstream Linux and include the
necessary changes.
Changes to v4 are in particular:
- Moved early IDT setup code to idt.c, because the idt_descr
and the idt_table are now static
- This required to make stack protector work early (or