Skip to content

xen: patch with XSA-469#406506

Merged
LeSuisse merged 1 commit intoNixOS:masterfrom
SigmaSquadron:push-mtkykymvwuyx
May 15, 2025
Merged

xen: patch with XSA-469#406506
LeSuisse merged 1 commit intoNixOS:masterfrom
SigmaSquadron:push-mtkykymvwuyx

Conversation

@SigmaSquadron
Copy link
Copy Markdown
Contributor

@SigmaSquadron SigmaSquadron commented May 12, 2025

Researchers at VU Amsterdam have released Training Solo, detailing several speculative attacks which bypass current protections.

One issue, which Intel has named Indirect Target Selection, is a bug in the hardware support for prediction-domain isolation. The mitigation for this involves both microcode and software changes in Xen.

For more details, see:

  1. https://vusec.net/projects/training-solo
  2. https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html

Another issue discussed in the Training Solo paper pertains to classic-BPF. Xen does not have any capability similar to BPF filters, so is not believed to be affected by this issue.

Things done

  • Built on platform(s)
    • x86_64-linux
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@SigmaSquadron
xen: patch with XSA-469
c29710d 
Researchers at VU Amsterdam have released Training Solo, detailing
several speculative attacks which bypass current protections.

One issue, which Intel has named Indirect Target Selection, is a bug in
the hardware support for prediction-domain isolation.  The mitigation
for this involves both microcode and software changes in Xen.

For more details, see:
1.  https://vusec.net/projects/training-solo
2.  https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/indirect-target-selection.html

Another issue discussed in the Training Solo paper pertains to
classic-BPF.  Xen does not have any capability similar to BPF filters,
so is not believed to be affected by this issue.

Signed-off-by: Fernando Rodrigues <alpha@sigmasquadron.net>
@SigmaSquadron SigmaSquadron added the 1.severity: security Issues which raise a security issue, or PRs that fix one label May 12, 2025
@github-actions github-actions bot added the 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. label May 12, 2025
@SigmaSquadron SigmaSquadron requested review from a team, CertainLach, digitalrane and hehongbo May 12, 2025 17:20
@github-actions github-actions bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. labels May 12, 2025
@SigmaSquadron
Copy link
Copy Markdown
Contributor Author

SigmaSquadron commented May 12, 2025
edited
Loading

qemu_xen's fix is in staging-next. htcondor and guestfs have been marked as broken.

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 406506

x86_64-linux

⏩ 1 package marked as broken and skipped:
  • qubes-core-vchan-xen
❌ 7 packages failed to build:
  • htcondor
  • python313Packages.guestfs
  • python313Packages.guestfs.dist
  • qemu_xen
  • qemu_xen.debug
  • qemu_xen.doc
  • qemu_xen.ga
✅ 57 packages built:
  • appvm
  • collectd
  • diffoscope
  • diffoscope.dist
  • diffoscope.man
  • docker-machine-kvm2
  • fdroidserver
  • fdroidserver.dist
  • gnome-boxes
  • libguestfs
  • libguestfs.guestfsd
  • librenms
  • libvirt
  • libvirt-glib
  • libvirt-glib.dev
  • libvirt-glib.devdoc
  • libvmi
  • libvmi.dev
  • libvmi.lib
  • mgmt
  • minikube
  • multipass
  • perl538Packages.SysVirt
  • perl538Packages.SysVirt.devdoc
  • perl540Packages.SysVirt
  • perl540Packages.SysVirt.devdoc
  • podman-bootc
  • prometheus-libvirt-exporter
  • python312Packages.guestfs
  • python312Packages.guestfs.dist
  • python312Packages.libvirt
  • python312Packages.libvirt.dist
  • xen (python312Packages.xen)
  • xen.boot (python312Packages.xen.boot)
  • xen.dev (python312Packages.xen.dev)
  • xen.doc (python312Packages.xen.doc)
  • xen.man (python312Packages.xen.man)
  • python313Packages.libvirt
  • python313Packages.libvirt.dist
  • python313Packages.xen
  • python313Packages.xen.boot
  • python313Packages.xen.dev
  • python313Packages.xen.doc
  • python313Packages.xen.man
  • rubyPackages.ruby-libvirt (rubyPackages_3_3.ruby-libvirt)
  • rubyPackages_3_1.ruby-libvirt
  • rubyPackages_3_2.ruby-libvirt
  • rubyPackages_3_4.ruby-libvirt
  • vagrant
  • virt-manager
  • virt-manager-qt
  • virt-top
  • virt-v2v
  • virt-viewer
  • virtnbdbackup
  • virtnbdbackup.dist
  • xen-guest-agent

@hehongbo hehongbo added the 12.approvals: 1 This PR was reviewed and approved by one person. label May 13, 2025
LeSuisse
LeSuisse approved these changes May 15, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@LeSuisse LeSuisse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good, an approval from a nixpkgs Xen team member and nixpkgs-review shows no unexpected issue, let's merge.

nixpkgs-review result

Generated using nixpkgs-review.

Command: nixpkgs-review pr 406506

x86_64-linux

⏩ 4 packages marked as broken and skipped:
  • htcondor
  • python313Packages.guestfs
  • python313Packages.guestfs.dist
  • qubes-core-vchan-xen
❌ 4 packages failed to build:
  • qemu_xen
  • qemu_xen.debug
  • qemu_xen.doc
  • qemu_xen.ga
✅ 57 packages built:
  • appvm
  • collectd
  • diffoscope
  • diffoscope.dist
  • diffoscope.man
  • docker-machine-kvm2
  • fdroidserver
  • fdroidserver.dist
  • gnome-boxes
  • libguestfs
  • libguestfs.guestfsd
  • librenms
  • libvirt
  • libvirt-glib
  • libvirt-glib.dev
  • libvirt-glib.devdoc
  • libvmi
  • libvmi.dev
  • libvmi.lib
  • mgmt
  • minikube
  • multipass
  • perl538Packages.SysVirt
  • perl538Packages.SysVirt.devdoc
  • perl540Packages.SysVirt
  • perl540Packages.SysVirt.devdoc
  • podman-bootc
  • prometheus-libvirt-exporter
  • python312Packages.guestfs
  • python312Packages.guestfs.dist
  • python312Packages.libvirt
  • python312Packages.libvirt.dist
  • xen (python312Packages.xen)
  • xen.boot (python312Packages.xen.boot)
  • xen.dev (python312Packages.xen.dev)
  • xen.doc (python312Packages.xen.doc)
  • xen.man (python312Packages.xen.man)
  • python313Packages.libvirt
  • python313Packages.libvirt.dist
  • python313Packages.xen
  • python313Packages.xen.boot
  • python313Packages.xen.dev
  • python313Packages.xen.doc
  • python313Packages.xen.man
  • rubyPackages.ruby-libvirt (rubyPackages_3_3.ruby-libvirt)
  • rubyPackages_3_1.ruby-libvirt
  • rubyPackages_3_2.ruby-libvirt
  • rubyPackages_3_4.ruby-libvirt
  • vagrant
  • virt-manager
  • virt-manager-qt
  • virt-top
  • virt-v2v
  • virt-viewer
  • virtnbdbackup
  • virtnbdbackup.dist
  • xen-guest-agent

@LeSuisse LeSuisse merged commit 9ab6ec2 into NixOS:master May 15, 2025
23 of 24 checks passed
@nixpkgs-ci
Copy link
Copy Markdown
Contributor

nixpkgs-ci bot commented May 15, 2025

Backport failed for release-24.11, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release-24.11
git worktree add -d .worktree/backport-406506-to-release-24.11 origin/release-24.11
cd .worktree/backport-406506-to-release-24.11
git switch --create backport-406506-to-release-24.11
git cherry-pick -x c29710d4ad60296481c0702da4790a2250f2a7ed

@SigmaSquadron SigmaSquadron mentioned this pull request May 15, 2025
Merged
8 tasks
@SigmaSquadron
Copy link
Copy Markdown
Contributor Author

SigmaSquadron commented May 15, 2025

It appears I made an oops and never backported #385642.

Manual backport at #407311.

@SigmaSquadron SigmaSquadron deleted the push-mtkykymvwuyx branch May 15, 2025 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@LeSuisse LeSuisse LeSuisse approved these changes

@digitalrane digitalrane Awaiting requested review from digitalrane digitalrane was automatically assigned from NixOS/xen-project

@CertainLach CertainLach Awaiting requested review from CertainLach CertainLach was automatically assigned from NixOS/xen-project

+1 more reviewer

@hehongbo hehongbo hehongbo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

1.severity: security Issues which raise a security issue, or PRs that fix one 6.topic: xen-project Issues and PRs related to the Xen Project Hypervisor. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 11-100 This PR causes between 11 and 100 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SigmaSquadron @hehongbo @LeSuisse