search for: config_page_table_isol

...tos.org/centos/6/virt/x86_64/xen/ xen, xen-44, xen-46, xen-48 repos should all get the rpms (not just xen) .. el6 has yet to post there, but it is tagged and should show up in a couple hours. The kernel is already there in the el7 trees. We need lots of testing .. the configuration name is now: CONFIG_PAGE_TABLE_ISOLATION=y (instead of CONFIG_KAISER) Please test these kernels so we can release them .. it boots for me as a Dom0 kernel and I can start PVHVM and HVM CentOS DomU machines .. which is how I test before I move the kernels to the testing repos. -------------- next part -------------- A non-text att...

...po file at the BOTTOM of this wiki page that you can use to enable the experimental repo: https://wiki.centos.org/SpecialInterestGroup/AltArch/i386 That experimental repo file will work for x86_64 or i386 installs and the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be CONFIG_KAISER .. and still is in the Red Hat released kernels). You could also use the Dom0 kernels from the Xen repo as DomU kernels for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in the testing repo and waiting for tests to release. Thanks,...

...> enable the experimental repo: >> ? >> https://wiki.centos.org/SpecialInterestGroup/AltArch/i386 >> ? >> That experimental repo file will work for x86_64 or i386 installs and >> the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel >> has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be >> CONFIG_KAISER .. and still is in the Red Hat released kernels). >> ? >> You could also use the Dom0 kernels from the Xen repo as DomU kernels >> for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in >> the testing rep...

...t a/arch/x86/boot/compressed/ident_map_64.c b/arch/x86/boot/compressed/ident_map_64.c index d9932a133ac9..e3d980ae9c2b 100644 --- a/arch/x86/boot/compressed/ident_map_64.c +++ b/arch/x86/boot/compressed/ident_map_64.c @@ -19,10 +19,13 @@ /* No PAGE_TABLE_ISOLATION support needed either: */ #undef CONFIG_PAGE_TABLE_ISOLATION +#include "error.h" #include "misc.h" /* These actually do the work of building the kernel identity maps. */ #include <linux/pgtable.h> +#include <asm/trap_pf.h> +#include <asm/trapnr.h> #include <asm/init.h> /* Use the static base for this...

...dent_map_64.c b/arch/x86/boot/compressed/ident_map_64.c > index 3a2115582920..0865d181b85d 100644 > --- a/arch/x86/boot/compressed/ident_map_64.c > +++ b/arch/x86/boot/compressed/ident_map_64.c > @@ -19,11 +19,13 @@ > /* No PAGE_TABLE_ISOLATION support needed either: */ > #undef CONFIG_PAGE_TABLE_ISOLATION > > +#include "error.h" > #include "misc.h" > > /* These actually do the work of building the kernel identity maps. */ > #include <asm/init.h> > #include <asm/pgtable.h> > +#include <asm/trap_defs.h> > /* Use the static...

On 01/04/2018 10:49 AM, Akemi Yagi wrote: > On Thu, Jan 4, 2018 at 9:51 AM, <rikske at deds.nl> wrote: > >> Please patch the CentOS-virt Kernel to fix the >> Kernel Side-Channel Attacks vulnerabilities. >> >> The latest CentOS-virt kernel was released in November, as seen below. >> >> kernel-4.9.63-29.el7.x86_64.rpm 2017-11-21 13:30 >>

...ki page that you can use >to >enable the experimental repo: > >https://wiki.centos.org/SpecialInterestGroup/AltArch/i386 > >That experimental repo file will work for x86_64 or i386 installs and >the latest released kernel (kernel-4.9.75-204.el7.centos). This kernel >has the CONFIG_PAGE_TABLE_ISOLATION=y security fixes (used to be >CONFIG_KAISER .. and still is in the Red Hat released kernels). > >You could also use the Dom0 kernels from the Xen repo as DomU kernels >for your PV VMs if you want. Currently the 4.9.75 Xen kernels are in >the testing repo and waiting for tests to...

Broken! [ 0.000000] Initializing cgroup subsys cpuset [ 0.000000] Initializing cgroup subsys cpu [ 0.000000] Initializing cgroup subsys cpuacct [ 0.000000] Linux version 3.10.0-693.11.6.el7.x86_64 (builder at kbuilder.dev.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) ) #1 SMP Thu Jan 4 01:06:37 UTC 2018 [ 0.000000] Command line: root=/dev/xvda ro

...f File systems # # Security options # CONFIG_KEYS=y CONFIG_KEYS_REQUEST_CACHE=y # CONFIG_PERSISTENT_KEYRINGS is not set CONFIG_BIG_KEYS=y # CONFIG_TRUSTED_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set CONFIG_KEY_DH_OPERATIONS=y # CONFIG_SECURITY_DMESG_RESTRICT is not set CONFIG_SECURITYFS=y # CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y # CONFIG_HARDENED_USERCOPY is not set # CONFIG_FORTIFY_SOURCE is not set CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="lockdown,yama,loadpin,...

...ile systems # # Security options # CONFIG_KEYS=y CONFIG_KEYS_REQUEST_CACHE=y # CONFIG_PERSISTENT_KEYRINGS is not set CONFIG_ENCRYPTED_KEYS=m CONFIG_KEY_DH_OPERATIONS=y # CONFIG_KEY_NOTIFICATIONS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITY is not set CONFIG_SECURITYFS=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_FORTIFY_SOURCE is not set CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" # CONF...

...ile systems # # Security options # CONFIG_KEYS=y CONFIG_KEYS_REQUEST_CACHE=y # CONFIG_PERSISTENT_KEYRINGS is not set CONFIG_ENCRYPTED_KEYS=m CONFIG_KEY_DH_OPERATIONS=y # CONFIG_KEY_NOTIFICATIONS is not set # CONFIG_SECURITY_DMESG_RESTRICT is not set # CONFIG_SECURITY is not set CONFIG_SECURITYFS=y CONFIG_PAGE_TABLE_ISOLATION=y CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set CONFIG_HARDENED_USERCOPY_PAGESPAN=y # CONFIG_FORTIFY_SOURCE is not set CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" # CONF...

...curity options # CONFIG_KEYS=y CONFIG_KEYS_COMPAT=y # CONFIG_PERSISTENT_KEYRINGS is not set # CONFIG_BIG_KEYS is not set # CONFIG_TRUSTED_KEYS is not set CONFIG_ENCRYPTED_KEYS=m # CONFIG_KEY_DH_OPERATIONS is not set CONFIG_SECURITY_DMESG_RESTRICT=y # CONFIG_SECURITY is not set CONFIG_SECURITYFS=y # CONFIG_PAGE_TABLE_ISOLATION is not set CONFIG_HAVE_HARDENED_USERCOPY_ALLOCATOR=y CONFIG_HARDENED_USERCOPY=y CONFIG_HARDENED_USERCOPY_PAGESPAN=y CONFIG_FORTIFY_SOURCE=y CONFIG_STATIC_USERMODEHELPER=y CONFIG_STATIC_USERMODEHELPER_PATH="/sbin/usermode-helper" CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_DEFAULT_SECURITY=&...

...ions # CONFIG_KEYS=y # CONFIG_KEYS_REQUEST_CACHE is not set CONFIG_PERSISTENT_KEYRINGS=y # CONFIG_BIG_KEYS is not set # CONFIG_ENCRYPTED_KEYS is not set CONFIG_KEY_DH_OPERATIONS=y # CONFIG_KEY_NOTIFICATIONS is not set CONFIG_SECURITY_DMESG_RESTRICT=y # CONFIG_SECURITY is not set CONFIG_SECURITYFS=y CONFIG_PAGE_TABLE_ISOLATION=y # CONFIG_FORTIFY_SOURCE is not set # CONFIG_STATIC_USERMODEHELPER is not set CONFIG_DEFAULT_SECURITY_DAC=y CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity" # # Kernel hardening options # # # Memory initialization # CONFIG_INIT_STACK_NONE=y # CONFIG_INIT_ON_ALLOC_DEFAULT_ON...

This patch series aims to move the logical block size checking to the block code. This was inspired by missing check for valid logical block size in virtio-blk which causes the kernel to crash in a weird way later on when it is invalid. I added blk_is_valid_logical_block_size which returns true iff the block size is one of supported sizes. I added this check to virtio-blk, and also converted

This patch series aims to move the logical block size checking to the block code. This was inspired by missing check for valid logical block size in virtio-blk which causes the kernel to crash in a weird way later on when it is invalid. I added blk_is_valid_logical_block_size which returns true iff the block size is one of supported sizes. I added this check to virtio-blk, and also converted

Hi, here is the next version of changes to enable Linux to run as an SEV-ES guest. The code was rebased to v5.7-rc3 and got a fair number of changes since the last version. What is SEV-ES ============== SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted State' and means a hardware feature of AMD processors which hides the register state of VCPUs to the hypervisor by

Hi, here is the next version of changes to enable Linux to run as an SEV-ES guest. The code was rebased to v5.7-rc3 and got a fair number of changes since the last version. What is SEV-ES ============== SEV-ES is an acronym for 'Secure Encrypted Virtualization - Encrypted State' and means a hardware feature of AMD processors which hides the register state of VCPUs to the hypervisor by

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.

Hi, here is the first public post of the patch-set to enable Linux to run under SEV-ES enabled hypervisors. The code is mostly feature-complete, but there are still a couple of bugs to fix. Nevertheless, given the size of the patch-set, I think it is about time to ask for initial feedback of the changes that come with it. To better understand the code here is a quick explanation of SEV-ES first.

From: Joerg Roedel <jroedel at suse.de> Hi, here is a rebased version of the latest SEV-ES patches. They are now based on latest tip/master instead of upstream Linux and include the necessary changes. Changes to v4 are in particular: - Moved early IDT setup code to idt.c, because the idt_descr and the idt_table are now static - This required to make stack protector work early (or