pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/sysutils/xenkernel411 Apply upstream patch for XSA306 ...
details: https://anonhg.NetBSD.org/pkgsrc/rev/b07518ce30d6
branches: trunk
changeset: 345220:b07518ce30d6
user: bouyer <bouyer%pkgsrc.org@localhost>
date: Fri Dec 06 17:30:28 2019 +0000
description:
Apply upstream patch for XSA306 security issue.
Bump PKGREVISION
diffstat:
sysutils/xenkernel411/Makefile | 4 +-
sysutils/xenkernel411/distinfo | 3 +-
sysutils/xenkernel411/patches/patch-XSA306 | 69 ++++++++++++++++++++++++++++++
3 files changed, 73 insertions(+), 3 deletions(-)
diffs (103 lines):
diff -r d6a93233af29 -r b07518ce30d6 sysutils/xenkernel411/Makefile
--- a/sysutils/xenkernel411/Makefile Fri Dec 06 16:37:52 2019 +0000
+++ b/sysutils/xenkernel411/Makefile Fri Dec 06 17:30:28 2019 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.10 2019/11/13 15:00:06 bouyer Exp $
+# $NetBSD: Makefile,v 1.11 2019/12/06 17:30:28 bouyer Exp $
VERSION= 4.11.2
-PKGREVISION= 2
+PKGREVISION= 3
DISTNAME= xen-${VERSION}
PKGNAME= xenkernel411-${VERSION}
CATEGORIES= sysutils
diff -r d6a93233af29 -r b07518ce30d6 sysutils/xenkernel411/distinfo
--- a/sysutils/xenkernel411/distinfo Fri Dec 06 16:37:52 2019 +0000
+++ b/sysutils/xenkernel411/distinfo Fri Dec 06 17:30:28 2019 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.7 2019/11/13 15:00:06 bouyer Exp $
+$NetBSD: distinfo,v 1.8 2019/12/06 17:30:28 bouyer Exp $
SHA1 (xen411/xen-4.11.2.tar.gz) = 82766db0eca7ce65962732af8a31bb5cce1eb7ce
RMD160 (xen411/xen-4.11.2.tar.gz) = 6dcb1ac3e72381474912607b30b59fa55d87d38b
@@ -10,6 +10,7 @@
SHA1 (patch-XSA302) = 12fbb7dfea27f53c70c8115487a2e30595549c2b
SHA1 (patch-XSA304) = f2c22732227e11a3e77c630f0264a689eed53399
SHA1 (patch-XSA305) = eb5e0096cbf501fcbd7a5c5f9d1f932b557636b6
+SHA1 (patch-XSA306) = f57201b2ae5f6435ce6ba3c6aac3e9e10cdba3fb
SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac
SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b
diff -r d6a93233af29 -r b07518ce30d6 sysutils/xenkernel411/patches/patch-XSA306
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/sysutils/xenkernel411/patches/patch-XSA306 Fri Dec 06 17:30:28 2019 +0000
@@ -0,0 +1,69 @@
+$NetBSD: patch-XSA306,v 1.1 2019/12/06 17:30:28 bouyer Exp $
+
+From: Jan Beulich <jbeulich%suse.com@localhost>
+Subject: IOMMU: default to always quarantining PCI devices
+
+XSA-302 relies on the use of libxl's "assignable-add" feature to prepare
+devices to be assigned to untrusted guests.
+
+Unfortunately, this is not considered a strictly required step for
+device assignment. The PCI passthrough documentation on the wiki
+describes alternate ways of preparing devices for assignment, and
+libvirt uses its own ways as well. Hosts where these alternate methods
+are used will still leave the system in a vulnerable state after the
+device comes back from a guest.
+
+Default to always quarantining PCI devices, but provide a command line
+option to revert back to prior behavior (such that people who both
+sufficiently trust their guests and want to be able to use devices in
+Dom0 again after they had been in use by a guest wouldn't need to
+"manually" move such devices back from DomIO to Dom0).
+
+This is XSA-306.
+
+Reported-by: Marek Marczykowski-Górecki <marmarek%invisiblethingslab.com@localhost>
+Signed-off-by: Jan Beulich <jbeulich%suse.com@localhost>
+Reviewed-by: Wei Liu <wl%xen.org@localhost>
+
+--- xen/drivers/passthrough/iommu.c.orig
++++ xen/drivers/passthrough/iommu.c
+@@ -52,6 +52,7 @@ custom_param("iommu", parse_iommu_param)
+ bool_t __initdata iommu_enable = 1;
+ bool_t __read_mostly iommu_enabled;
+ bool_t __read_mostly force_iommu;
++bool __read_mostly iommu_quarantine = true;
+ bool_t __hwdom_initdata iommu_dom0_strict;
+ bool_t __read_mostly iommu_verbose;
+ bool_t __read_mostly iommu_workaround_bios_bug;
+@@ -99,6 +100,8 @@ static int __init parse_iommu_param(cons
+ else if ( !cmdline_strcmp(s, "force") ||
+ !cmdline_strcmp(s, "required") )
+ force_iommu = val;
++ else if ( !cmdline_strcmp(s, "quarantine") )
++ iommu_quarantine = val;
+ else if ( !cmdline_strcmp(s, "workaround_bios_bug") )
+ iommu_workaround_bios_bug = val;
+ else if ( !cmdline_strcmp(s, "igfx") )
+--- xen/drivers/passthrough/pci.c.orig
++++ xen/drivers/passthrough/pci.c
+@@ -1511,7 +1511,8 @@ int deassign_device(struct domain *d, u1
+ return -ENODEV;
+
+ /* De-assignment from dom_io should de-quarantine the device */
+- target = (pdev->quarantine && pdev->domain != dom_io) ?
++ target = ((pdev->quarantine || iommu_quarantine) &&
++ pdev->domain != dom_io) ?
+ dom_io : hardware_domain;
+
+ while ( pdev->phantom_stride )
+--- xen/include/xen/iommu.h.orig
++++ xen/include/xen/iommu.h
+@@ -29,7 +29,7 @@
+ #include <asm/iommu.h>
+
+ extern bool_t iommu_enable, iommu_enabled;
+-extern bool_t force_iommu, iommu_verbose;
++extern bool force_iommu, iommu_quarantine, iommu_verbose;
+ extern bool_t iommu_workaround_bios_bug, iommu_igfx, iommu_passthrough;
+ extern bool_t iommu_snoop, iommu_qinval, iommu_intremap, iommu_intpost;
+ extern bool_t iommu_hap_pt_share;
Home |
Main Index |
Thread Index |
Old Index