HEAD UP: 32bits PV guests deprecated upstream

To: port-xen%netbsd.org@localhost
Subject: HEAD UP: 32bits PV guests deprecated upstream
From: Manuel Bouyer <bouyer%antioche.eu.org@localhost>
Date: Tue, 21 Sep 2021 15:30:47 +0200

Hello,
with the Xen 4.15.1 release, native 32bits PV guests have been deprecated,
and are not supported security-wise anymore. With the default config,
only 32bits PV with the pvshim compatibility layer is supported.
In pkgsrc as of today, the 4.15.1 package still supports native 32bits PV 
guests but this will likely change after pkgsrc-2021Q3 is cut.

In order to switch a guest to pvshim, remove any builder= line, and add
type="pvh"
pvshim=1

Note that about native 32bit PV guests, Xen says:
Due to architectural limitations,
32-bit PV guests must be assumed to be able to read arbitrary host memory
using speculative execution attacks.
Advisories will continue to be issued for new vulnerabilities related to
un-shimmed 32-bit PV guests enabling denial-of-service attacks or
privilege escalation attacks.

-- 
Manuel Bouyer <bouyer%antioche.eu.org@localhost>
     NetBSD: 26 ans d'experience feront toujours la difference
--

Prev by Date: Re: Side channel vulnerabilities
Next by Date: Xen test results
Previous by Thread: Side channel vulnerabilities
Next by Thread: domU freeze
Indexes:

Home | Main Index | Thread Index | Old Index