Your message dated Fri, 17 Jan 2020 21:17:30 +0000 with message-id <[email protected]> and subject line Bug#908453: fixed in xen 4.8.5.final+shim4.10.4-1+deb9u12 has caused the Debian Bug report #908453, regarding xen-utils-common: README.comet seems to no longer apply to the current Xen packages to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 908453: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908453 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: xen-utils-common Version: 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 Severity: important Dear Maintainer, * What led up to the situation? I needed to build a new Xen DomU. Since I had seen that Debian had picked up the 4.8 "comet" changes and pvshim, I wanted to experiment with Xen's PVH mode and have the DomU run the Linux 4.17 kernel in stretch-backports, which should be new enough to support PVH. It seemed like this should work, given instructions in /usr/share/doc/xen-utils-common/README.comet -------- * Converting a PV config to a PVH config If you have a kernel capable of booting PVH, then PVH mode is both faster and more secure than PV or PVH-shim mode. - Remove any reference to 'builder' (e.g., `builder="generic"`) - Add the following line: type="pvh" -------- * What exactly did you do (or not do) that was effective (or ineffective)? I ran xen-create-image (from the xen-tools package) with --dist=stretch to build the DomU and its configuration. I also used --pygrub so Xen would boot the kernel installed in the DomU's filesystem. I temporarily edited the DomU's Xen/xl configuration to use the pvshim, per the instructions in README.comet (type = 'pvh' / pvshim = 1), started the DomU, added the stretch-backports repository, and installed linux-image-amd64 from backports. I then shut down the DomU, edited the DomU's configuration to remove the pvshim = 1 line, and re-started the DomU. * What was the outcome of this action? It appeared the DomU was running in PV mode, despite my having added type = 'pvh' to its Xen/xl configuration. It was difficult to tell, but I believed the DomU was running in PV mode as its kernel printed: - [ 0.000000] Hypervisor detected: Xen PV - [ 0.000000] Kernel/User page tables isolation: disabled on XEN PV. Some Internet searching also seemed to indicate that "xl list -l <id>" should mention "pvh" if the DomU is running in PVH mode. However, I only saw: - "type": "pv", There was no mention of "pvh" in the output. * What outcome did you expect instead? I expected the DomU to run in PVH mode. I wasn't sure what this was supposed to look like, but I did some experiments (installed the old 4.8.3+comet2+shim4.10.0+comet3-1+deb9u5 packages and worked around bootloader being broken for PVH) and saw that in fact, with that version of the Xen packages, the DomU kernel prints: - [ 0.000000] Hypervisor detected: Xen HVM - [ 0.000000] Booting paravirtualized kernel on Xen PVH - [ 0.000000] Kernel/User page tables isolation: enabled And xl list -l <id> shows: - "type": "pvh", * More thoughts/discussion. It looks like the Debian packages lost support for booting DomUs in PVH mode with version 4.8.3+xsa262+shim4.10.0+comet3-1+deb9u6. Probably because: Update to new upstream version 4.8.3+xsa262+shim4.10.0+comet3. (This is the upstream staging-4.8 branch, which is ahead of the upstream CI-tested stable-4.8 branch by precisely the three most recent XSA fixes. We are switching away from the special upstream 4.8 comet branch.) And maybe that's fine... if the mitigation comet and the pvshim provided is also effectively provided by XPTI changes that were present in the stable-4.8 branch, then I guess it isn't really necessary for anybody to use (and thus PVH-mode boot) the shim anymore. However, if that's the case, then it probably doesn't make sense to include README.comet and continue packaging the shim in the Debian packages anymore. The thing that's nefarious (and could be grounds for increasing the bug severity), is that anybody that followed the README.comet instructions and configured DomUs to boot a PVH-capable kernel without the shim is now, probably to their surprise, running their DomU in PV mode. This means they've lost Linux's KPTI protections from Meltdown within their DomU. The underlying issue is that the xl command seems to silently ignore configuration directives it doesn't understand--which, without the 4.8 comet2 changes, includes 'type'! This isn't a huge deal for me and my deployment (at the CMU Computer Club). Our Xen infrastructure was running jessie/Xen 4.4 at best when the Meltdown/Spectre news broke. So our initial mitigation was to switch everything to run in HVM mode (and we've continued doing so since then). I was interested in exploring PVH mode though, since it looked like it was more similar to PV mode in some ways that would make it work better with various tooling (e.g., xen-tools). The fact it didn't work with the Debian packages the way I thought it would was surprising, and I figured it might be surprising for other people too. --Keith Bare -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-7-amd64 (SMP w/16 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages xen-utils-common depends on: ii lsb-base 9.20161125 ii python 2.7.13-2 ii ucf 3.0036 ii udev 232-25+deb9u4 ii xenstore-utils 4.8.3+xsa267+shim4.10.1+xsa267-1+deb9u9 xen-utils-common recommends no packages. xen-utils-common suggests no packages. -- Configuration Files: /etc/default/xendomains changed [not included] -- no debconf information
--- End Message ---
--- Begin Message ---Source: xen Source-Version: 4.8.5.final+shim4.10.4-1+deb9u12 We believe that the bug you reported is fixed in the latest version of xen, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ian Jackson <[email protected]> (supplier of updated xen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 10 Jan 2020 17:09:30 +0000 Binary: libxen-4.8 libxen-dev libxenstore3.0 xen-hypervisor-4.8-amd64 xen-hypervisor-4.8-arm64 xen-hypervisor-4.8-armhf xen-system-amd64 xen-system-arm64 xen-system-armhf xen-utils-4.8 xen-utils-common xenstore-utils Source: xen Architecture: all amd64 source Version: 4.8.5.final+shim4.10.4-1+deb9u12 Distribution: stretch-security Urgency: medium Maintainer: Debian Xen Team <[email protected]> Changed-By: Ian Jackson <[email protected]> Closes: 908453 Description: libxen-4.8 - Public libs for Xen libxen-dev - Public headers and libs for Xen libxenstore3.0 - Xenstore communications library for Xen xen-hypervisor-4.8-amd64 - Xen Hypervisor on AMD64 xen-hypervisor-4.8-arm64 - Xen Hypervisor on ARM64 xen-hypervisor-4.8-armhf - Xen Hypervisor on ARMHF xen-system-amd64 - Xen System on AMD64 (meta-package) xen-system-arm64 - Xen System on ARM64 (meta-package) xen-system-armhf - Xen System on ARMHF (meta-package) xen-utils-4.8 - XEN administrative tools xen-utils-common - Xen administrative tools - common files xenstore-utils - Xenstore command line utilities for Xen Changes: xen (4.8.5.final+shim4.10.4-1+deb9u12) stretch-security; urgency=medium . * *NOTE* this will probably be the *LAST UPDATE* for Xen in Debian 9.x (stretch), since this is the last batch of security patches from upstream, where Xen 4.8 is out of security support. . * Update to new upstream final tip of 4.8 stable branch, which I have dubbed upstream/stable-4.8.5.final. And shim 4.10.4. * This includes fixes to: XSA-311 CVE-2019-19577 XSA-310 CVE-2019-19580 XSA-309 CVE-2019-19578 XSA-308 CVE-2019-19583 XSA-307 CVE-2019-19581 CVE-2019-19582 XSA-306 CVE-2019-19579 XSA-305 CVE-2019-11135 XSA-304 CVE-2018-12207 XSA-303 CVE-2019-18422 XSA-302 CVE-2019-18424 XSA-301 CVE-2019-18423 XSA-299 CVE-2019-18421 XSA-298 CVE-2019-18425 XSA-297 CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2019-11091 XSA-296 CVE-2019-18420 XSA-295 CVE-2019-17349 CVE-2019-17350 XSA-294 CVE-2019-17348 XSA-293 CVE-2019-17347 XSA-292 CVE-2019-17346 XSA-291 CVE-2019-17345 XSA-290 CVE-2019-17344 XSA-288 CVE-2019-17343 XSA-287 CVE-2019-17342 XSA-285 CVE-2019-17341 XSA-284 CVE-2019-17340 * For completeness, the following are not applicable: XSA-300 CVE-2019-17351 Bug is in Linux XSA-289 Spectre V1 + L1TF combo; no new fixes XSA-283 Withdrawn XSA number XSA-281 Withdrawn XSA number * The following is *not* fixed at this time: XSA-286 Still embargoed. . * README.comet: remove line about PVH support. [Hans van Kranenburg] Closes:#908453. Checksums-Sha1: 5b1b31e2ea7deaa1c4e0f4cfdcce1110fd6a7897 3142 xen_4.8.5.final+shim4.10.4-1+deb9u12.dsc f26af673bc03d6a54750eaf43e975eab4a4c0a4f 4200720 xen_4.8.5.final+shim4.10.4.orig-shim.tar.xz 7d65e50c786aff9eebecc6e30f3d30d7583468b8 3940796 xen_4.8.5.final+shim4.10.4.orig.tar.xz 27c2409dfad63e096427f2f322f99c9c288f2adc 59500 xen_4.8.5.final+shim4.10.4-1+deb9u12.debian.tar.xz e256dff0cb6959c691cccd4f0f94aff0ad0a70c5 1610722 libxen-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 52605aca393641b078d0e867c159c29606850fab 413476 libxen-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 34f842744344404b19a2cfcd7ac8c30194558b81 653432 libxen-dev_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 82292d72ba80f4ab7458da98c7e3550e21b2fd9d 25248 libxenstore3.0-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 2f031abf0e433cd9df81b48419488cf8584cfe34 35608 libxenstore3.0_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 817177fdfff5adf4ede40412494b9fc6d998df3e 2337428 xen-hypervisor-4.8-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 7c6c6e5a902ce108df0e945ab2e8cdda8148edc2 24624 xen-system-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 0a6b4becbaa38ef14b4a7a70bc5bc3ee2e693b96 854886 xen-utils-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb a25f45dca8843cd41be71bd384caae38cb607efd 424814 xen-utils-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 2439727a38d26ef085b5c901a18d2476c98b1b71 288750 xen-utils-common_4.8.5.final+shim4.10.4-1+deb9u12_all.deb 095d382c9569147cf6f9aee9222dbf5914237f73 12171 xen_4.8.5.final+shim4.10.4-1+deb9u12_amd64.buildinfo ddd8aa5d90cf3c7d34e2006db374b9a7cfe4253c 13370 xenstore-utils-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 8720f5875de6a9734cdcf8dd235a1b041cda1a4f 31384 xenstore-utils_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb Checksums-Sha256: 3ad4fb79437429842a2c9b46029f0565f1d53e7231da79dcf59b569975f607d1 3142 xen_4.8.5.final+shim4.10.4-1+deb9u12.dsc a25ea110c6676c370426f7f87957999a1e32121e446ec7a26cc779b67c2b9a91 4200720 xen_4.8.5.final+shim4.10.4.orig-shim.tar.xz 8c9b781c9343e2c4963d4ba46415104e7cbb6714d8d06a6f6bd28d7060392d87 3940796 xen_4.8.5.final+shim4.10.4.orig.tar.xz b19abbaf6961b5bf33bae5a6cb6b77c2793491447910f5c8d9475f1252f5fb0e 59500 xen_4.8.5.final+shim4.10.4-1+deb9u12.debian.tar.xz 964f5965320f806adadb416d998fdccb0f51debcedf60db8aa6fa8281eb2bd77 1610722 libxen-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb d424985604d793c7f9ec1c52baabe7df1ab4f0552aa9b98ef53add3d24d930a6 413476 libxen-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 218c5925df8d2f35f197eee7038e89d21a395c08a32d12c61f6a96d30389f70f 653432 libxen-dev_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 82deb5bc7671d4bf2c614788dcf578c93da03bc839f91ad93c07928367348b8e 25248 libxenstore3.0-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb fc69118fe5601c812fc905d23489021b75c1e6d4c69f6fc649dd5dfa3949ac86 35608 libxenstore3.0_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 59b6593b52c4904ac1c196f77dbbf78dd129242cf2276c3a9ce2fc440038d86c 2337428 xen-hypervisor-4.8-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 10b5dc4292dcb0b03384203974d1ca3e7753acba0e24dd5e36f9eeb4c5f6eee5 24624 xen-system-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 39023d74e418be3157dc18be5c376cd73c911397d805e4d3b0288e28e34a9413 854886 xen-utils-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 0f793947d87bc3cc81ddddeed5a2443a3402cab59b4b9594fd2a0dbd5fcaed48 424814 xen-utils-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 884946690bdcd5a4cc1c8497e2b2a65b84d94ce56ac14d51940c657104d097b0 288750 xen-utils-common_4.8.5.final+shim4.10.4-1+deb9u12_all.deb 00fbcbfff0720cbbac7da4c0c267531d4dbb10ed2eb2582105aa25653944b94f 12171 xen_4.8.5.final+shim4.10.4-1+deb9u12_amd64.buildinfo ddf6cedaf2629e792133d362737e8b69d9182143c3795fda8be9387ccde515a0 13370 xenstore-utils-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 530ebe2cbff0a10671461f382466972a97991d8d833256bcac5e87f2125d17f0 31384 xenstore-utils_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb Files: 9c7941741511198360522571ce5ca3d9 3142 kernel optional xen_4.8.5.final+shim4.10.4-1+deb9u12.dsc 98607d3568409938e6006aee3e88de43 4200720 kernel optional xen_4.8.5.final+shim4.10.4.orig-shim.tar.xz 33e48954b3a4caba204747f2e875461b 3940796 kernel optional xen_4.8.5.final+shim4.10.4.orig.tar.xz b8ce90253ce6e175b832dff4df890020 59500 kernel optional xen_4.8.5.final+shim4.10.4-1+deb9u12.debian.tar.xz 58650886760999c5f1d170ee8a46f1ce 1610722 debug extra libxen-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 3c22f09a473578d80ad60bd3ead2d35a 413476 libs optional libxen-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb c8cde1f4ce7ecf1d624c128bba011358 653432 libdevel optional libxen-dev_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 8848907287446a6b9797b6123d656c04 25248 debug extra libxenstore3.0-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb a7f6463e508c70984a46f3e4cb8c7efa 35608 libs optional libxenstore3.0_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 0863a3a719bb9834c3c4d89fd153f04f 2337428 kernel optional xen-hypervisor-4.8-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb d82f70963bb718bdb9662ad9b4efa024 24624 kernel optional xen-system-amd64_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb adcfc5039e61cbef0a9e69955c6b9f47 854886 debug extra xen-utils-4.8-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb ca2308b0c71362e71f2a95799cf4a4c9 424814 kernel optional xen-utils-4.8_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 11fcfe38b688cb6a5084938a3896e126 288750 kernel optional xen-utils-common_4.8.5.final+shim4.10.4-1+deb9u12_all.deb 61cf6c1c5c0333289cddedce1551f134 12171 kernel optional xen_4.8.5.final+shim4.10.4-1+deb9u12_amd64.buildinfo 6c6b4e600ddbe2a7b6d43190ae28ac15 13370 debug extra xenstore-utils-dbgsym_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb 659158a7592c5cc356673318a7b31015 31384 admin optional xenstore-utils_4.8.5.final+shim4.10.4-1+deb9u12_amd64.deb -----BEGIN PGP SIGNATURE----- iQFUBAEBCAA+FiEEVZrkbC1rbTJl58uh4+M5I0i1DTkFAl4YtIYgHGlqYWNrc29u QGNoaWFyay5ncmVlbmVuZC5vcmcudWsACgkQ4+M5I0i1DTkmaAgAkB0NoZK0di2p BiI8mTED+ura16gX1LDyUVET78vRNtAtgcHgDlK5yz1WlGtCTeVFaz1vg9yid0Tt QyyT33N7eggYxFutQxHxMltKq61CC8T1OzZwSvqAWSicYXVWJqQh0fTKzwzhw7hx aKWTrs5A8p/EqBpuIk1S6DG9RVMjUbd3FivfaAuQY/izRBpB5esWIl48Ogc8kJPs KgLYEgK2N7qQ8FBc/SygDtEp9MpfbMEAUM6INNGBEqx0BXpAvz7ocPGf/pNjKdXR mN1b5jQeFtxtzVJpMf4bxTIPmS/mLPtxLgjsmPHLMH/o3fl7gN/R8tTOCFcsJCxi 2ROjn9R/8w== =ad9g -----END PGP SIGNATURE-----
--- End Message ---
