Difference between revisions of "Xen Project Meltdown and Spectre Technical FAQ"

From Xen
(Where can I find the current patch series that fixes Spectre/SP2)
 
(9 intermediate revisions by one other user not shown)
Line 1: Line 1:
== What is the plan going forward? ==
 
It is still emerging, but we are looking at
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#00874 Short Term Plan v2]
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#00655 Short Term Plan v1] (superseded by v2)
 
 
 
== Where can I find the current patch series that fixes Meltdown/SP3 ==
 
== Where can I find the current patch series that fixes Meltdown/SP3 ==
   
  +
Please refer to [http://xenbits.xen.org/xsa/advisory-254.html XSA-254] for more details.
For guests with legacy PV kernels which cannot be run in HVM or PVH mode directly, we have developed two "shim" hypervisors that allow PV guests to run in HVM mode or PVH mode. The HVM shim (codenamed
 
"Vixen") is available now (please refer to [http://xenbits.xen.org/xsa/advisory-254.html XSA-254] for more details). We expect to have the PVH shim (codenamed "Comet") available within a few days.
 
 
Released:
 
* '''Vixen''' (see [http://xenbits.xen.org/xsa/advisory-254.html XSA-254])
 
* '''Comet''' (see [http://xenbits.xen.org/xsa/advisory-254.html XSA-254]) - only for Xen 4.10 for now
 
 
Development versions (older and ongoing):
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01057 Comet: Run PV in PVH container] (Citrix)
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#00497 Vixen: A PV-in-HVM shim] (Amazon)
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01259 x86: initial simplistic Meltdown mitigation]
 
* ''Note that newer versions of these patches appear at high velocity'': please always check the xen-devel@ archives for the latest version
 
 
Note the following comment in the Vixen series: ''This series is very similar to the PVH series posted by Wei and we have been discussing how to merge efforts. We were hoping to have more time to work this out. I am posting this because I'm fairly confident that this series is complete (all PV instances in EC2 are using this) and others might find it useful. I also wanted to have more of a discussion about the best way to merge and some of the differences in designs.''
 
 
Other related patches under discussion
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#00274 x86: Prerequisite work for a Xen KAISER solution] - These patches are presented to start a discussion of the issues and to inform the decision on how to fix the issue for older Xen releases. The series as a whole is not in a suitable state for committing.
 
   
 
== Where can I find the current patch series that fixes Spectre/SP2 ==
 
== Where can I find the current patch series that fixes Spectre/SP2 ==
   
 
See
 
See
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01156 x86: Mitigations for SP2/CVE-2017-5715/Branch Target Injection]
+
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#02169 x86: Mitigations for SP2/CVE-2017-5715/Branch Target Injection]
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01365 xen/arm64: Branch predictor hardening (XSA-254 variant 2)]
 
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01365 xen/arm64: Branch predictor hardening (XSA-254 variant 2)]
  +
* [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#01798 xen/arm32: Branch predictor hardening (XSA-254 variant 2)]
 
* ''Note that newer versions of these patches appear at high velocity'': please always check the xen-devel@ archives for the latest version
 
* ''Note that newer versions of these patches appear at high velocity'': please always check the xen-devel@ archives for the latest version
   
  +
== Is there any practical advice about responding to XSA-254 (also known as the 'Meltdown' and 'Spectre' vulnerabilities)? ==
== Are there any other documents I should read? ==
 
  +
See [[Respond to Meltdown and Spectre]], [https://blog.xenproject.org/2018/01/22/xen-project-spectre-meltdown-faq-jan-22-update/ our FAQ] and [http://xenbits.xen.org/xsa/advisory-254.html XSA 254].
  +
  +
== What are some dependencies between Xen features, guest types and mitigations? ==
   
  +
Please refer to the [https://openxt.atlassian.net/wiki/spaces/DC/pages/397967361/Meltdown+and+Spectre+mitigations+for+Xen+Linux+and+Windows OpenXT] spreadsheet, [https://docs.google.com/spreadsheets/d/1h9z98xW5COh2YuH7nOeTsjLGZ-k_Cl2FmLEiXOyeyZQ/htmlview Meltdown and Spectre Exposure Analysis: Xen, Linux & Windows].
See [[Respond to Meltdown and Spectre]], [https://blog.xenproject.org/2018/01/04/xen-project-spectremeltdown-faq/ Blog FAQ] and [https://lists.xenproject.org/archives/html/xen-devel/2018-01/threads.html#00357 xen-devel@ thread]
 
   
 
[[Category:Security]]
 
[[Category:Security]]

Latest revision as of 14:42, 6 February 2018

Where can I find the current patch series that fixes Meltdown/SP3

Please refer to XSA-254 for more details.

Where can I find the current patch series that fixes Spectre/SP2

See

Is there any practical advice about responding to XSA-254 (also known as the 'Meltdown' and 'Spectre' vulnerabilities)?

See Respond to Meltdown and Spectre, our FAQ and XSA 254.

What are some dependencies between Xen features, guest types and mitigations?

Please refer to the OpenXT spreadsheet, Meltdown and Spectre Exposure Analysis: Xen, Linux & Windows.