Xen project Mailing List

Re: [Xen-devel] Status of comet-4.10 branch

To: Ian Jackson <ian.jackson@xxxxxxxxxx>

From: Michael Young <m.a.young@xxxxxxxxxxxx>

Date: Fri, 15 Jun 2018 19:26:14 +0100 (BST)

Authentication-results: spf=none (sender IP is ) smtp.mailfrom=m.a.young@xxxxxxxxxxxx;

Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, security@xxxxxxxxxxxxxx

Delivery-date: Fri, 15 Jun 2018 18:26:53 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Spamdiagnosticmetadata: NSPM

Spamdiagnosticoutput: 1:99

On Fri, 15 Jun 2018, Ian Jackson wrote:

In XSA-254, we advertised siome special new branches, comet and vixen,
which were intended to be used as the shim in the PV-in-HVM shim
approaches to XSA-254 mitigation.

With my Debian maintainer hat on, I chose to do that.  (I don't know,
of course, what proportion of Debian users are using shim and what
proportion xpti.)

I am now trying to apply the XSA-267 patches.  It is obvious that the
fix will need to be applied to my 4.10 comet.  But I discover that the
patches do not apply.  Additionally, I would want to apply the XSA-263
patches, so that when microcode appears, XSA-263 is fixes too.

What am I supposed to do ?  There is no useful guidance in XSA-263 or
XSA-267, and there has been no update to XSA-254.  Such an update
should probably be issued.

The right approach to this depends on whether the functionality in the
comet and shim branches is now in released Xen branches.  Should comet
4.10 be retired in favour of stable-4.10 or RELEASE-4.10.1 ?

With my Fedora hat on I decided that most or all of the patches in the comet branch were in 4.10.1 anyway so I dropped my added XSA-254

fixes. For XSA-263 I added 3 extra patches from stable-4.10 to get thos

patches to apply cleanly, and XSA-267 just needs minor changes to the

patch context (this hasn't reached Fedora yet as the build is broken, I

think due to updates to Fedora's acpica-tools package which provides

iasl).

If stable-4.10 is not suitable, then we have a gap and either the
remaining fixes from comet need to be applied to 4.10; or the
intervening XSAs need to be applied to comet.

Similar questions apply for 4.9.1-shim-vixen and 4.8.3pre-shim-comwet.

In any case an update to XSA-254 is needed.

+1 to an update on the status of extra branches for XSA-254. Michael Young _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.