Ubuntu
xen package

spectre/meltdown: Updates planned for *-microcode and xen-hpyervisor?

Bug #1741282 reported by Jan Kellermann on 2018-01-04

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	intel-microcode (Ubuntu)	Fix Released	Undecided	Unassigned
	xen (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

In cve-tracker for spectre/meltdown (https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5753.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5715.html https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5754.html) i am missing the xen-packages like xen-hypervisor. See https://xenbits.xen.org/xsa/advisory-254.html

Are also updates for *-microcode-packages planned an some documentation?

CVE References

Revision history for this message

Jan Kellermann (jan-kellermann) wrote on 2018-01-04:

see also https://answers.launchpad.net/ubuntu/+question/662547

Seth Arnold (seth-arnold) on 2018-01-17

information type:

Private Security → Public Security

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2018-01-17:

Hello Jan, the Xen hypervisor is community supported; we can't guarantee that it will be updated for this. The kernel patches to try to mitigate these issues are huge and very complicated -- if they are any indicator of the scale of the Xen patches, it may not be feasible to release updates for these issues.

intel-microcode has been released https://usn.ubuntu.com/usn/usn-3531-1/ but enough people have reported regressions to Intel that we have not yet pushed this update to all users via additional package dependencies. People who already had the package installed should have it now, and we haven't heard many (if any) reports about trouble, but your results may differ. I have not heard any timelines for delivering updated microcode.

I understand the AMD microcode update is coming shortly after AMD signs it.

See https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown for more details.

Thanks

Changed in intel-microcode (Ubuntu):
status:	New → Confirmed
Changed in xen (Ubuntu):
status:	New → Confirmed

Revision history for this message

Jan Kellermann (jan-kellermann) wrote on 2018-02-07:

Hi, we use Ubuntu as Dom0 and like this solution. But we need some information if there would be solutions in the near future.

Ubuntu 16.04 use xen-hypervisor 4.6. So PVH, PVH shim or HVM shim can not be used.
For 4.6 exists a mitigation "Xen PTI" (see http://xenbits.xen.org/xsa/xsa254/README.pti).
Will xen-hypervisor 4.6 be updated?

Will xen-hypervisor 4.9 (Ubuntu Bionic) get the patches for PVH, PVH shim or HVM shim?

PVH seems the best solution. Will this supported by Ubuntu Bionic?

See http://xenbits.xen.org/xsa/advisory-254.html

Best regards

Revision history for this message

Jan Kellermann (jan-kellermann) wrote on 2018-03-04:

The Patches against meltdown (Kaiser/PTI) for xen 4.6 are marked as stable:
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.6

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=commit;h=c6e9e6095669b3c63b92d21fddb326441c73712c
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=commit;h=a065841b3ae9f0ef49b9823cd205c79ee0c22b9c
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=commit;h=91dc902fdf41659c210329d6f6578f8132ee4770
https://xenbits.xenproject.org/gitweb/?p=xen.git;a=commit;h=44ad7f6895da9861042d7a41e635d42d83cb2660