diff options
author | bsiegert <bsiegert@pkgsrc.org> | 2019-12-07 19:10:08 +0000 |
---|---|---|
committer | bsiegert <bsiegert@pkgsrc.org> | 2019-12-07 19:10:08 +0000 |
commit | 01fdb281412567355effc0161607bde29fbd8f2b (patch) | |
tree | 6ef0c612ce267cc7003817c0be95aa6a11542d14 | |
parent | 51c3d1493f5ca68fad9dcdfbe067673dd10f110f (diff) | |
download | pkgsrc-01fdb281412567355effc0161607bde29fbd8f2b.tar.gz |
Pullup ticket #6096 - requested by bouyer
sysutils/xenkernel411: security fix
Revisions pulled up:
- sysutils/xenkernel411/Makefile 1.11
- sysutils/xenkernel411/distinfo 1.8
- sysutils/xenkernel411/patches/patch-XSA306 1.1
---
Module Name: pkgsrc
Committed By: bouyer
Date: Fri Dec 6 17:30:28 UTC 2019
Modified Files:
pkgsrc/sysutils/xenkernel411: Makefile distinfo
Added Files:
pkgsrc/sysutils/xenkernel411/patches: patch-XSA306
Log Message:
Apply upstream patch for XSA306 security issue.
Bump PKGREVISION
-rw-r--r-- | sysutils/xenkernel411/Makefile | 4 | ||||
-rw-r--r-- | sysutils/xenkernel411/distinfo | 3 | ||||
-rw-r--r-- | sysutils/xenkernel411/patches/patch-XSA306 | 69 |
3 files changed, 73 insertions, 3 deletions
diff --git a/sysutils/xenkernel411/Makefile b/sysutils/xenkernel411/Makefile index e1426bd25f6..b53aa662a06 100644 --- a/sysutils/xenkernel411/Makefile +++ b/sysutils/xenkernel411/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.8.2.1 2019/11/16 22:10:06 bsiegert Exp $ +# $NetBSD: Makefile,v 1.8.2.2 2019/12/07 19:10:08 bsiegert Exp $ VERSION= 4.11.2 -PKGREVISION= 2 +PKGREVISION= 3 DISTNAME= xen-${VERSION} PKGNAME= xenkernel411-${VERSION} CATEGORIES= sysutils diff --git a/sysutils/xenkernel411/distinfo b/sysutils/xenkernel411/distinfo index 2ebc521bc0f..a44a1fb361b 100644 --- a/sysutils/xenkernel411/distinfo +++ b/sysutils/xenkernel411/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.5.2.1 2019/11/16 22:10:06 bsiegert Exp $ +$NetBSD: distinfo,v 1.5.2.2 2019/12/07 19:10:08 bsiegert Exp $ SHA1 (xen411/xen-4.11.2.tar.gz) = 82766db0eca7ce65962732af8a31bb5cce1eb7ce RMD160 (xen411/xen-4.11.2.tar.gz) = 6dcb1ac3e72381474912607b30b59fa55d87d38b @@ -10,6 +10,7 @@ SHA1 (patch-XSA299) = beb7ba1a8f9e0adda161c0da725ff053e674067e SHA1 (patch-XSA302) = 12fbb7dfea27f53c70c8115487a2e30595549c2b SHA1 (patch-XSA304) = f2c22732227e11a3e77c630f0264a689eed53399 SHA1 (patch-XSA305) = eb5e0096cbf501fcbd7a5c5f9d1f932b557636b6 +SHA1 (patch-XSA306) = f57201b2ae5f6435ce6ba3c6aac3e9e10cdba3fb SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b diff --git a/sysutils/xenkernel411/patches/patch-XSA306 b/sysutils/xenkernel411/patches/patch-XSA306 new file mode 100644 index 00000000000..6d052e5f6a8 --- /dev/null +++ b/sysutils/xenkernel411/patches/patch-XSA306 @@ -0,0 +1,69 @@ +$NetBSD: patch-XSA306,v 1.1.2.2 2019/12/07 19:10:08 bsiegert Exp $ + +From: Jan Beulich <jbeulich@suse.com> +Subject: IOMMU: default to always quarantining PCI devices + +XSA-302 relies on the use of libxl's "assignable-add" feature to prepare +devices to be assigned to untrusted guests. + +Unfortunately, this is not considered a strictly required step for +device assignment. The PCI passthrough documentation on the wiki +describes alternate ways of preparing devices for assignment, and +libvirt uses its own ways as well. Hosts where these alternate methods +are used will still leave the system in a vulnerable state after the +device comes back from a guest. + +Default to always quarantining PCI devices, but provide a command line +option to revert back to prior behavior (such that people who both +sufficiently trust their guests and want to be able to use devices in +Dom0 again after they had been in use by a guest wouldn't need to +"manually" move such devices back from DomIO to Dom0). + +This is XSA-306. + +Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com> +Signed-off-by: Jan Beulich <jbeulich@suse.com> +Reviewed-by: Wei Liu <wl@xen.org> + +--- xen/drivers/passthrough/iommu.c.orig ++++ xen/drivers/passthrough/iommu.c +@@ -52,6 +52,7 @@ custom_param("iommu", parse_iommu_param) + bool_t __initdata iommu_enable = 1; + bool_t __read_mostly iommu_enabled; + bool_t __read_mostly force_iommu; ++bool __read_mostly iommu_quarantine = true; + bool_t __hwdom_initdata iommu_dom0_strict; + bool_t __read_mostly iommu_verbose; + bool_t __read_mostly iommu_workaround_bios_bug; +@@ -99,6 +100,8 @@ static int __init parse_iommu_param(cons + else if ( !cmdline_strcmp(s, "force") || + !cmdline_strcmp(s, "required") ) + force_iommu = val; ++ else if ( !cmdline_strcmp(s, "quarantine") ) ++ iommu_quarantine = val; + else if ( !cmdline_strcmp(s, "workaround_bios_bug") ) + iommu_workaround_bios_bug = val; + else if ( !cmdline_strcmp(s, "igfx") ) +--- xen/drivers/passthrough/pci.c.orig ++++ xen/drivers/passthrough/pci.c +@@ -1511,7 +1511,8 @@ int deassign_device(struct domain *d, u1 + return -ENODEV; + + /* De-assignment from dom_io should de-quarantine the device */ +- target = (pdev->quarantine && pdev->domain != dom_io) ? ++ target = ((pdev->quarantine || iommu_quarantine) && ++ pdev->domain != dom_io) ? + dom_io : hardware_domain; + + while ( pdev->phantom_stride ) +--- xen/include/xen/iommu.h.orig ++++ xen/include/xen/iommu.h +@@ -29,7 +29,7 @@ + #include <asm/iommu.h> + + extern bool_t iommu_enable, iommu_enabled; +-extern bool_t force_iommu, iommu_verbose; ++extern bool force_iommu, iommu_quarantine, iommu_verbose; + extern bool_t iommu_workaround_bios_bug, iommu_igfx, iommu_passthrough; + extern bool_t iommu_snoop, iommu_qinval, iommu_intremap, iommu_intpost; + extern bool_t iommu_hap_pt_share; |