From: Ian Jackson Date: Wed, 7 Feb 2018 17:05:53 +0000 (+0000) Subject: Copy README.pti and README.comet from the XSA-254 advisory X-Git-Tag: archive/raspbian/4.8.5+shim4.10.2+xsa282-1+deb9u11+rpi1^2~3 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=632022c1a0bee86d4df58f72836b6384611b05f8;p=xen.git Copy README.pti and README.comet from the XSA-254 advisory We would like these to be installed with the Debian Xen packages because they contain usage instructions too. Signed-off-by: Ian Jackson Gbp-Pq: Name 0029-Copy-README.pti-and-README.comet-from-the-XSA-254-ad.patch --- diff --git a/README.comet b/README.comet new file mode 100644 index 0000000000..1f27f93d17 --- /dev/null +++ b/README.comet @@ -0,0 +1,96 @@ + PV-in-PVH shim + ============== + +Summary +------- + +This README describes one of three mitigation strategies for Meltdown. + +The basic principle is to run PV guests (which can read all of host +memory due to the hardware bugs) as PVH guests (which cannot, at least +not due to Meltdown). The PV environment is still provided to the +guest by an embedded copy of Xen, the "shim". This version of the +shim is codenamed "Comet". + +Unlike Vixen, Comet requires modifications to the toolstack and host +hypervisor. + +Note that both of these shim-based approaches prevent attacks on the +host, but leave the guest vulnerable to Meltdown attacks by its own +unprivileged processes; this is true even if the guest OS has KPTI or +similar Meltdown mitigation. + +Versions for Xen 4.8 and 4.10 are available. + +What you will need +------------------ + + * You will need the xen.git with the following tags: + - For 4.10: 4.10.0-shim-comet-3 + - For 4.8: 4.8.3pre-shim-comet-2 and 4.10.0-shim-comet-3 + +Build instructions: 4.10 +------------------------ + +1. Build a 4.10+ system + git clone git://xenbits.xenproject.org/xen.git xen.git + cd xen.git + git checkout 4.10.0-shim-comet-3 + +Do a build and install as normal. The shim will be built as part of the +normal build process, and placed with other 'system' binaries where the +toostack knows how to find it. + +Build instructions: 4.8 +----------------------- + +The code for shim itself is not backported to 4.8. 4.8 users should +use a shim built from 4.10-based source code; this can be simply +dropped into a Xen 4.8 installation. + +1. Build a 4.8+ system with support for running PVH, and for pvshim: + + git clone git://xenbits.xenproject.org/xen.git xen.git + cd xen.git + git checkout 4.8.3pre-shim-comet-2 + + Do a build and install as normal. + +2. Build a 4.10+ system to be the shim: + + git clone git://xenbits.xenproject.org/xen.git xen.git + cd xen.git + git checkout 4.10.0-shim-comet-3 + ./configure + make -C tools/firmware/xen-dir + + And then install the shim executable where + the 4.8 pv shim mode tools expect to find it + + cp tools/firmware/xen-dir/xen-shim /usr/lib/xen/boot/xen-shim + cp tools/firmware/xen-dir/xen-shim /usr/local/lib/xen/boot/xen-shim + + This step is only needed to boot guests in "PVH with PV shim" + mode; it is not needed when booting PVH-supporting guests as PVH. + + +Usage instructions +------------------ + +* Converting a PV config to a PVH shim config + +- Remove any reference to 'builder' (e.g., `builder="generic"`) +- Add the following two lines: + type="pvh" + pvshim=1 + +* Converting a PV config to a PVH config + +If you have a kernel capable of booting PVH, then PVH mode is both +faster and more secure than PV or PVH-shim mode. + +- Remove any reference to 'builder' (e.g., `builder="generic"`) +- Add the following line: + type="pvh" + +* There is no need to reboot the host. diff --git a/README.pti b/README.pti new file mode 100644 index 0000000000..227058fdd1 --- /dev/null +++ b/README.pti @@ -0,0 +1,48 @@ + Xen page-table isolation (XPTI) + =============================== + +Summary +------- + +This README gives references for one of three mitigation strategies +for Meltdown. + +This series is a first-class migitation pagetable isolation series for +Xen. It is available for Xen 4.6 to Xen 4.10 and later. + +Precise git commits are as follows: + +4.10: + +7cccd6f748ec724cf9408cec6b3ec8e54a8a2c1f x86: allow Meltdown band-aid to be disabled +234f481337ea1a93db968d614649a6bdfdc8418a x86: Meltdown band-aid against malicious 64-bit PV guests +57dc197cf0d36c56ba1d9d32c6a1454bb52605bb x86/mm: Always set _PAGE_ACCESSED on L4e updates +910dd005da20f27f3415b7eccdf436874989506b x86/entry: Remove support for partial cpu_user_regs frames + +4.9: + +dc7d46580d9c633a59be1c3776f79c01dd0cb98b x86: allow Meltdown band-aid to be disabled +1e0974638d65d9b8acf9ac7511d747188f38bcc3 x86: Meltdown band-aid against malicious 64-bit PV guests +87ea7816247090e8e5bc5653b16c412943a058b5 x86/mm: Always set _PAGE_ACCESSED on L4e updates +2213ffe1a2d82c3c9c4a154ea6ee252395aa8693 x86/entry: Remove support for partial cpu_user_regs frames + +4.8: + +31d38d633a306b2b06767b5a5f5a8a00269f3c92 x86: allow Meltdown band-aid to be disabled +1ba477bde737bf9b28cc455bef1e9a6bc76d66fc x86: Meltdown band-aid against malicious 64-bit PV guests +049e2f45bfa488967494466ec6506c3ecae5fe0e x86/mm: Always set _PAGE_ACCESSED on L4e updates +a7cf0a3b818377a8a49baed3606bfa2f214cd645 x86/entry: Remove support for partial cpu_user_regs frames + +4.7: + +e19d0af4ee2ae9e42a85db639fd6848e72f5658b x86: allow Meltdown band-aid to be disabled +e19517a3355acaaa2ff83018bc41e7fd044161e5 x86: Meltdown band-aid against malicious 64-bit PV guests +9b76908e6e074d7efbeafe6bad066ecc5f3c3c43 x86/mm: Always set _PAGE_ACCESSED on L4e updates +0e6c6fc449000d97f9fa87ed1fbe23f0cf21406b x86/entry: Remove support for partial cpu_user_regs frames + +4.6: + +44ad7f6895da9861042d7a41e635d42d83cb2660 x86: allow Meltdown band-aid to be disabled +91dc902fdf41659c210329d6f6578f8132ee4770 x86: Meltdown band-aid against malicious 64-bit PV guests +a065841b3ae9f0ef49b9823cd205c79ee0c22b9c x86/mm: Always set _PAGE_ACCESSED on L4e updates +c6e9e6095669b3c63b92d21fddb326441c73712c x86/entry: Remove support for partial cpu_user_regs frames