From: Hans van Kranenburg <hans.van.kranenburg@mendix.com>
Date: Sat, 22 Jun 2019 09:45:34 +0000 (+0200)
Subject: Update to 4.11.1+92-g6c33308a8d-2 with MDS documentation
X-Git-Tag: archive/raspbian/4.11.3+24-g14b62ab3e5-1+rpi1^2~56
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=9dbca2a5cc4f4333436f7e969178eb1f60e7624f;p=xen.git

Update to 4.11.1+92-g6c33308a8d-2 with MDS documentation

Following up feedback from the release team, add a NEWS file mentioning
the MDS mitigations with some instructions, so that it will be more
visible to people using apt-listchanges.

Mention the ucode option in our default documented set of "usually used
options", so that users doing a new install will get a hint about the
existence of this option, and what it does.
---

diff --git a/debian/NEWS b/debian/NEWS
new file mode 100644
index 0000000000..e32955a161
--- /dev/null
+++ b/debian/NEWS
@@ -0,0 +1,20 @@
+xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
+
+    This update contains the mitigations for the Microarchitectural Data
+    Sampling speculative side channel attacks. Only Intel based processors are
+    affected.
+
+    Note that these fixes will only have effect when also loading updated cpu
+    microcode with MD_CLEAR functionality. When using the intel-microcode
+    package to include microcode in the dom0 initrd, it has to be loaded by
+    Xen. Please refer to the hypervisor command line documentation about the
+    'ucode=scan' option.
+
+    For the fixes to be fully effective, it is currently also needed to disable
+    hyper-threading, which can be done in BIOS settings, or by using smt=no on
+    the hypervisor command line.
+
+    Additional information is available in the upstream Xen security advisory:
+    https://xenbits.xen.org/xsa/advisory-297.html
+
+ -- Hans van Kranenburg <hans@knorrie.org>  Tue, 18 Jun 2019 09:50:19 +0200
diff --git a/debian/changelog b/debian/changelog
index 9c64ee1326..4d2fc62b5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+xen (4.11.1+92-g6c33308a8d-2) unstable; urgency=high
+
+  * Mention MDS and the need for updated microcode and disabling
+    hyper-threading in NEWS.
+  * Mention the ucode=scan option in the grub.d/xen documentation.
+
+ -- Hans van Kranenburg <hans@knorrie.org>  Sat, 22 Jun 2019 11:15:08 +0200
+
 xen (4.11.1+92-g6c33308a8d-1) unstable; urgency=high
 
   * Update to new upstream version 4.11.1+92-g6c33308a8d, which also
diff --git a/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg b/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
index e3853c33ca..900c12df5d 100644
--- a/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
+++ b/debian/tree/xen-hypervisor-common/etc/default/grub.d/xen.cfg
@@ -44,6 +44,11 @@ echo "Including Xen overrides from /etc/default/grub.d/xen.cfg"
 #   Do not automatically reboot after an error. This is useful for catching
 #   debug output.
 #
+# ucode=scan (only for x86)
+#   Scan the multiboot images mentioned in grub configuration for an cpio image
+#   that contains cpu microcode. This enables loading microcode that is stored
+#   in the dom0 initrd.img.
+#
 # Please also refer to the "Xen Hypervisor Command Line Options"
 # documentation for the version of Xen you have installed. This
 # documentation can be found at https://xenbits.xen.org/