Copy README.pti and README.comet from the XSA-254 advisory

We would like these to be installed with the Debian Xen packages
because they contain usage instructions too.

Signed-off-by: Ian Jackson <ian.jackson@citrix.com>
Gbp-Pq: Name 0029-Copy-README.pti-and-README.comet-from-the-XSA-254-ad.patch

diff --git a/README.comet b/README.comet
new file mode 100644 (file)
index 0000000..1f27f93
--- /dev/null
+++ b/README.comet
@@ -0,0 +1,96 @@
+                           PV-in-PVH shim
+                            ==============
+
+Summary
+-------
+
+This README describes one of three mitigation strategies for Meltdown.
+
+The basic principle is to run PV guests (which can read all of host
+memory due to the hardware bugs) as PVH guests (which cannot, at least
+not due to Meltdown).  The PV environment is still provided to the
+guest by an embedded copy of Xen, the "shim".  This version of the
+shim is codenamed "Comet".
+
+Unlike Vixen, Comet requires modifications to the toolstack and host
+hypervisor.
+
+Note that both of these shim-based approaches prevent attacks on the
+host, but leave the guest vulnerable to Meltdown attacks by its own
+unprivileged processes; this is true even if the guest OS has KPTI or
+similar Meltdown mitigation.
+
+Versions for Xen 4.8 and 4.10 are available.
+
+What you will need
+------------------
+
+ * You will need the xen.git with the following tags:
+  - For 4.10: 4.10.0-shim-comet-3
+  - For 4.8:  4.8.3pre-shim-comet-2   and  4.10.0-shim-comet-3
+
+Build instructions: 4.10
+------------------------
+
+1. Build a 4.10+ system
+    git clone git://xenbits.xenproject.org/xen.git xen.git
+    cd xen.git
+    git checkout 4.10.0-shim-comet-3
+
+Do a build and install as normal.  The shim will be built as part of the
+normal build process, and placed with other 'system' binaries where the
+toostack knows how to find it.
+
+Build instructions: 4.8
+-----------------------
+
+The code for shim itself is not backported to 4.8.  4.8 users should
+use a shim built from 4.10-based source code; this can be simply
+dropped into a Xen 4.8 installation.
+
+1. Build a 4.8+ system with support for running PVH, and for pvshim:
+
+    git clone git://xenbits.xenproject.org/xen.git xen.git
+    cd xen.git
+    git checkout 4.8.3pre-shim-comet-2
+
+  Do a build and install as normal.
+
+2. Build a 4.10+ system to be the shim:
+
+    git clone git://xenbits.xenproject.org/xen.git xen.git
+    cd xen.git
+    git checkout 4.10.0-shim-comet-3
+    ./configure
+    make -C tools/firmware/xen-dir
+
+  And then install the shim executable where
+  the 4.8 pv shim mode tools expect to find it
+
+    cp tools/firmware/xen-dir/xen-shim /usr/lib/xen/boot/xen-shim
+    cp tools/firmware/xen-dir/xen-shim /usr/local/lib/xen/boot/xen-shim
+
+  This step is only needed to boot guests in "PVH with PV shim"
+  mode; it is not needed when booting PVH-supporting guests as PVH.
+
+
+Usage instructions
+------------------
+
+* Converting a PV config to a PVH shim config
+
+- Remove any reference to 'builder' (e.g., `builder="generic"`)
+- Add the following two lines:
+  type="pvh"
+  pvshim=1
+
+* Converting a PV config to a PVH config
+
+If you have a kernel capable of booting PVH, then PVH mode is both
+faster and more secure than PV or PVH-shim mode.
+
+- Remove any reference to 'builder' (e.g., `builder="generic"`)
+- Add the following line:
+  type="pvh"
+
+* There is no need to reboot the host.

diff --git a/README.pti b/README.pti
new file mode 100644 (file)
index 0000000..227058f
--- /dev/null
+++ b/README.pti
@@ -0,0 +1,48 @@
+                      Xen page-table isolation (XPTI)
+                      ===============================
+
+Summary
+-------
+
+This README gives references for one of three mitigation strategies
+for Meltdown.
+
+This series is a first-class migitation pagetable isolation series for
+Xen.  It is available for Xen 4.6 to Xen 4.10 and later.
+
+Precise git commits are as follows:
+
+4.10:
+
+7cccd6f748ec724cf9408cec6b3ec8e54a8a2c1f x86: allow Meltdown band-aid to be disabled
+234f481337ea1a93db968d614649a6bdfdc8418a x86: Meltdown band-aid against malicious 64-bit PV guests
+57dc197cf0d36c56ba1d9d32c6a1454bb52605bb x86/mm: Always set _PAGE_ACCESSED on L4e updates
+910dd005da20f27f3415b7eccdf436874989506b x86/entry: Remove support for partial cpu_user_regs frames
+
+4.9:
+
+dc7d46580d9c633a59be1c3776f79c01dd0cb98b x86: allow Meltdown band-aid to be disabled
+1e0974638d65d9b8acf9ac7511d747188f38bcc3 x86: Meltdown band-aid against malicious 64-bit PV guests
+87ea7816247090e8e5bc5653b16c412943a058b5 x86/mm: Always set _PAGE_ACCESSED on L4e updates
+2213ffe1a2d82c3c9c4a154ea6ee252395aa8693 x86/entry: Remove support for partial cpu_user_regs frames
+
+4.8:
+
+31d38d633a306b2b06767b5a5f5a8a00269f3c92 x86: allow Meltdown band-aid to be disabled
+1ba477bde737bf9b28cc455bef1e9a6bc76d66fc x86: Meltdown band-aid against malicious 64-bit PV guests
+049e2f45bfa488967494466ec6506c3ecae5fe0e x86/mm: Always set _PAGE_ACCESSED on L4e updates
+a7cf0a3b818377a8a49baed3606bfa2f214cd645 x86/entry: Remove support for partial cpu_user_regs frames
+
+4.7:
+
+e19d0af4ee2ae9e42a85db639fd6848e72f5658b x86: allow Meltdown band-aid to be disabled
+e19517a3355acaaa2ff83018bc41e7fd044161e5 x86: Meltdown band-aid against malicious 64-bit PV guests
+9b76908e6e074d7efbeafe6bad066ecc5f3c3c43 x86/mm: Always set _PAGE_ACCESSED on L4e updates
+0e6c6fc449000d97f9fa87ed1fbe23f0cf21406b x86/entry: Remove support for partial cpu_user_regs frames
+
+4.6:
+
+44ad7f6895da9861042d7a41e635d42d83cb2660 x86: allow Meltdown band-aid to be disabled
+91dc902fdf41659c210329d6f6578f8132ee4770 x86: Meltdown band-aid against malicious 64-bit PV guests
+a065841b3ae9f0ef49b9823cd205c79ee0c22b9c x86/mm: Always set _PAGE_ACCESSED on L4e updates
+c6e9e6095669b3c63b92d21fddb326441c73712c x86/entry: Remove support for partial cpu_user_regs frames