Stephen Nelson-Smith
2013-Jan-03 01:41 UTC
Passing "allow_unsafe" appears not to workaround protection for CVE-2012-2934
Having finished a round of testing in my own lab, I''ve connected to my clients test lab, and reproduced my Xen Dom0. Upon trying a test creation of a DomU, I was intrigued to receive the message: ERROR POST operation failed: xend_post: error from xen daemon: (xend.err ''Error creating domain: Creating domain failed: name=snstest00'') Domain installation does not appear to have been successful. Digging a little deeper, I saw in xm dmesg: (XEN) Xen does not allow DomU creation on this CPU for security reasons. And also the hint: (XEN) *** Xen will not allow creation of DomU-s on this CPU for security reasons. *** (XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV) guest kernels. *** So, I added allow_unsafe to my kernel parameters and rebooted: [root@dom0-a ~]# cat /proc/cmdline placeholder root=/dev/mapper/vg_dom0--a-lv_root ro rd.md=0 rd.dm=0 SYSFONT=True rd.lvm.lv=vg_dom0-a/lv_root KEYTABLE=uk rd.luks=0 rd.lvm.lv=vg_dom0-a/lv_swap LANG=en_US.UTF-8 rhgb noacpi xdriver=vesa resolution=1024x786 allow_unsafe However, I still get the same messages in xm dmesg, and I am still unable to build a DomU. I''m using a machine with AMD Opteron(tm) Processor 254 chips. This chipset appears in this CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934, and is discussed here: http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html The announcement explicitly says: "A command line override is provided to allow users who accept the risks or who are able to mitigate as above to continue to do so. To activate the override add "allow_unsafe" to your hypervisor command line" This is a test system, and I''m up against some deadlines now, so it''s completely ok to run with this risk in mind, however I can''t understand why passing "allow_unsafe" didn''t have the published effect. Please help! :) S.
Stephen Nelson-Smith
2013-Jan-03 02:02 UTC
Re: Passing "allow_unsafe" appears not to workaround protection for CVE-2012-2934
Hi, On Thu, Jan 3, 2013 at 1:41 AM, Stephen Nelson-Smith <sanelson@gmail.com> wrote:> This is a test system, and I''m up against some deadlines now, so it''s > completely ok to run with this risk in mind, however I can''t > understand why passing "allow_unsafe" didn''t have the published > effect.Aha... GRUB_CMDLINE_XEN="allow_unsafe" I was confusing parameters passed to the Linux kernel and the hypervisor. Thanks, S.