Linux 5.10 Xen Brings Security Updates - Includes Fixing ARM Guests With KPTI
Last week brought the initial Xen updates for the Linux 5.10 merge window which primarily consisted of fixes. The main change to point out though was a temporary fix for allowing Xen guests on ARM to work with Kernel Page Table Isolation (KPTI) enabled. A more long-term fix is still being worked on for Xen support in KPTI-enabled ARM environments.
The fix is around the VCPUOP_register_runstate_memory_area hypercall that under KPTI-protected guests would be passed an invalid virtual address, so the short term solution is to just avoid that call. ARM relies on Kernel Page Table Isolation as part of their mitigation against the Meltdown vulnerability on affected ARM Cortex processors, similar to the more well known usage on Intel processors.
Now this week is another pull of Xen changes and they are security focused. There is a fix for a Xen security issue where malicious guests could cause a denial of service for Dom0 by triggering null pointer dereferences or access to stale data. There is a larger patch series part of this pull as well for malicious guests being able to cause a Dom0 denial of service by sending events at a high frequency that would overwhelm the IRQ handling.