dgit.raspbian.org Git - xen.git/commit

author	Julien Grall <jgrall@amazon.com>
	Sat, 17 Apr 2021 16:38:28 +0000 (17:38 +0100)
committer	Andrew Cooper <andrew.cooper3@citrix.com>
	Tue, 8 Jun 2021 16:43:06 +0000 (17:43 +0100)
commit	fd5dc41ceaed9cfcfa011cdfd50f264c89277a90
tree	8c64c751d2c01c85932079e7fd71e8816fef717a	tree \| snapshot
parent	371347c5b64da699d9f5a0edda5dc496fd2b7a5c	commit \| diff

xen/arm: Boot modules should always be scrubbed if bootscrub={on, idle}

The function to initialize the pages (see init_heap_pages()) will request
scrub when the admin request idle bootscrub (default) and state ==
SYS_STATE_active. When bootscrub=on, Xen will scrub any free pages in
heap_init_late().

Currently, the boot modules (e.g. kernels, initramfs) will be discarded/
freed after heap_init_late() is called and system_state switched to
SYS_STATE_active. This means the pages associated with the boot modules
will not get scrubbed before getting re-purposed.

If the memory is assigned to an untrusted domU, it may be able to
retrieve secrets from the modules.

This is part of XSA-372 / CVE-2021-28693.

Fixes: 1774e9b1df27 ("xen/arm: introduce create_domUs")
Signed-off-by: Julien Grall <jgrall@amazon.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Tested-by: Stefano Stabellini <sstabellini@kernel.org>