Linux 5.10 Xen Brings Security Updates - Includes Fixing ARM Guests With KPTI

Written by Michael Larabel in Virtualization on 20 October 2020 at 10:00 AM EDT. Add A Comment
VIRTUALIZATION
The Xen virtualization work for the Linux 5.10 kernel revolves around security.

Last week brought the initial Xen updates for the Linux 5.10 merge window which primarily consisted of fixes. The main change to point out though was a temporary fix for allowing Xen guests on ARM to work with Kernel Page Table Isolation (KPTI) enabled. A more long-term fix is still being worked on for Xen support in KPTI-enabled ARM environments.

The fix is around the VCPUOP_register_runstate_memory_area hypercall that under KPTI-protected guests would be passed an invalid virtual address, so the short term solution is to just avoid that call. ARM relies on Kernel Page Table Isolation as part of their mitigation against the Meltdown vulnerability on affected ARM Cortex processors, similar to the more well known usage on Intel processors.

Now this week is another pull of Xen changes and they are security focused. There is a fix for a Xen security issue where malicious guests could cause a denial of service for Dom0 by triggering null pointer dereferences or access to stale data. There is a larger patch series part of this pull as well for malicious guests being able to cause a Dom0 denial of service by sending events at a high frequency that would overwhelm the IRQ handling.
Related News
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week