Pullup ticket #6096 - requested by bouyer

sysutils/xenkernel411: security fix

Revisions pulled up:
- sysutils/xenkernel411/Makefile                                1.11
- sysutils/xenkernel411/distinfo                                1.8
- sysutils/xenkernel411/patches/patch-XSA306                    1.1

---
   Module Name:    pkgsrc
   Committed By:   bouyer
   Date:           Fri Dec  6 17:30:28 UTC 2019

   Modified Files:
           pkgsrc/sysutils/xenkernel411: Makefile distinfo
   Added Files:
           pkgsrc/sysutils/xenkernel411/patches: patch-XSA306

   Log Message:
   Apply upstream patch for XSA306 security issue.
   Bump PKGREVISION

3 files changed, 73 insertions, 3 deletions

diff --git a/sysutils/xenkernel411/Makefile b/sysutils/xenkernel411/Makefile
index e1426bd25f6..b53aa662a06 100644
--- a/sysutils/xenkernel411/Makefile
+++ b/sysutils/xenkernel411/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.8.2.1 2019/11/16 22:10:06 bsiegert Exp $
+# $NetBSD: Makefile,v 1.8.2.2 2019/12/07 19:10:08 bsiegert Exp $
 
 VERSION=	4.11.2
-PKGREVISION=	2
+PKGREVISION=	3
 DISTNAME=	xen-${VERSION}
 PKGNAME=	xenkernel411-${VERSION}
 CATEGORIES=	sysutils
diff --git a/sysutils/xenkernel411/distinfo b/sysutils/xenkernel411/distinfo
index 2ebc521bc0f..a44a1fb361b 100644
--- a/sysutils/xenkernel411/distinfo
+++ b/sysutils/xenkernel411/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.5.2.1 2019/11/16 22:10:06 bsiegert Exp $
+$NetBSD: distinfo,v 1.5.2.2 2019/12/07 19:10:08 bsiegert Exp $
 
 SHA1 (xen411/xen-4.11.2.tar.gz) = 82766db0eca7ce65962732af8a31bb5cce1eb7ce
 RMD160 (xen411/xen-4.11.2.tar.gz) = 6dcb1ac3e72381474912607b30b59fa55d87d38b
@@ -10,6 +10,7 @@ SHA1 (patch-XSA299) = beb7ba1a8f9e0adda161c0da725ff053e674067e
 SHA1 (patch-XSA302) = 12fbb7dfea27f53c70c8115487a2e30595549c2b
 SHA1 (patch-XSA304) = f2c22732227e11a3e77c630f0264a689eed53399
 SHA1 (patch-XSA305) = eb5e0096cbf501fcbd7a5c5f9d1f932b557636b6
+SHA1 (patch-XSA306) = f57201b2ae5f6435ce6ba3c6aac3e9e10cdba3fb
 SHA1 (patch-xen_Makefile) = 465388d80de414ca3bb84faefa0f52d817e423a6
 SHA1 (patch-xen_Rules.mk) = c743dc63f51fc280d529a7d9e08650292c171dac
 SHA1 (patch-xen_arch_x86_Rules.mk) = 0bedfc53a128a87b6a249ae04fbdf6a053bfb70b
diff --git a/sysutils/xenkernel411/patches/patch-XSA306 b/sysutils/xenkernel411/patches/patch-XSA306
new file mode 100644
index 00000000000..6d052e5f6a8
--- /dev/null
+++ b/sysutils/xenkernel411/patches/patch-XSA306
@@ -0,0 +1,69 @@
+$NetBSD: patch-XSA306,v 1.1.2.2 2019/12/07 19:10:08 bsiegert Exp $
+
+From: Jan Beulich <jbeulich@suse.com>
+Subject: IOMMU: default to always quarantining PCI devices
+
+XSA-302 relies on the use of libxl's "assignable-add" feature to prepare
+devices to be assigned to untrusted guests.
+
+Unfortunately, this is not considered a strictly required step for
+device assignment. The PCI passthrough documentation on the wiki
+describes alternate ways of preparing devices for assignment, and
+libvirt uses its own ways as well. Hosts where these alternate methods
+are used will still leave the system in a vulnerable state after the
+device comes back from a guest.
+
+Default to always quarantining PCI devices, but provide a command line
+option to revert back to prior behavior (such that people who both
+sufficiently trust their guests and want to be able to use devices in
+Dom0 again after they had been in use by a guest wouldn't need to
+"manually" move such devices back from DomIO to Dom0).
+
+This is XSA-306.
+
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Wei Liu <wl@xen.org>
+
+--- xen/drivers/passthrough/iommu.c.orig
++++ xen/drivers/passthrough/iommu.c
+@@ -52,6 +52,7 @@ custom_param("iommu", parse_iommu_param)
+ bool_t __initdata iommu_enable = 1;
+ bool_t __read_mostly iommu_enabled;
+ bool_t __read_mostly force_iommu;
++bool __read_mostly iommu_quarantine = true;
+ bool_t __hwdom_initdata iommu_dom0_strict;
+ bool_t __read_mostly iommu_verbose;
+ bool_t __read_mostly iommu_workaround_bios_bug;
+@@ -99,6 +100,8 @@ static int __init parse_iommu_param(cons
+         else if ( !cmdline_strcmp(s, "force") ||
+                   !cmdline_strcmp(s, "required") )
+             force_iommu = val;
++        else if ( !cmdline_strcmp(s, "quarantine") )
++            iommu_quarantine = val;
+         else if ( !cmdline_strcmp(s, "workaround_bios_bug") )
+             iommu_workaround_bios_bug = val;
+         else if ( !cmdline_strcmp(s, "igfx") )
+--- xen/drivers/passthrough/pci.c.orig
++++ xen/drivers/passthrough/pci.c
+@@ -1511,7 +1511,8 @@ int deassign_device(struct domain *d, u1
+         return -ENODEV;
+ 
+     /* De-assignment from dom_io should de-quarantine the device */
+-    target = (pdev->quarantine && pdev->domain != dom_io) ?
++    target = ((pdev->quarantine || iommu_quarantine) &&
++              pdev->domain != dom_io) ?
+         dom_io : hardware_domain;
+ 
+     while ( pdev->phantom_stride )
+--- xen/include/xen/iommu.h.orig
++++ xen/include/xen/iommu.h
+@@ -29,7 +29,7 @@
+ #include <asm/iommu.h>
+ 
+ extern bool_t iommu_enable, iommu_enabled;
+-extern bool_t force_iommu, iommu_verbose;
++extern bool force_iommu, iommu_quarantine, iommu_verbose;
+ extern bool_t iommu_workaround_bios_bug, iommu_igfx, iommu_passthrough;
+ extern bool_t iommu_snoop, iommu_qinval, iommu_intremap, iommu_intpost;
+ extern bool_t iommu_hap_pt_share;