Re: Disabling XEN in our configs (used by QEMU and Renesas)


Chris Paterson
 

Hello Pavel,

From: Pavel Machek <pavel@...>
Sent: 17 March 2022 09:58

Hi!

There is bunch of XEN security fixes in the pipeline:

CVE-2022-23036, CVE-2022-23037, CVE-2022-23038, CVE-2022-23039,
CVE-2022-23040 : Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

CVE-2022-23041: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

CVE-2022-23042: Xen: fix race conditions, resulting in potential data
leaks, data corruption, DoS by malicious backends

There's a bunch of patches fixing those, but backporting them to 4.4
would not be exactly easy. Our scripts show XEN as being used, but I
suspect that's a mistake.

Reneasas, can you confirm if you are using XEN in your arm64 products?
The renesas_defconfig is largely copied from the upstream arm64 defconfig, and upstream renesas_defconfig [0] used for development.
As both of the above have CONFIG_XEN=y, we do in CIP's copy as well.

[0] https://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel.git/tree/arch/arm64/configs/renesas_defconfig

I will check internally to see if there are any known users for XEN, but bear in mind we are an SoC vendor not a system integrator, so we don’t have direct knowledge of all end users/uses.

If not, it would be good to disable it in the configs.
Makes sense.

Kind regards, Chris


Could we disable XEN in qemu configs? I don't believe it makes much
sense.

./4.19.y-cip/arm64/qemu_arm64_defconfig:CONFIG_XEN=y
./4.19.y-cip/arm64/qemu_arm64_defconfig:CONFIG_XEN_GNTDEV=y
./4.19.y-
cip/arm64/qemu_arm64_defconfig:CONFIG_XEN_GRANT_DEV_ALLOC=y
./4.19.y-cip/arm64/renesas_defconfig:CONFIG_XEN=y
./5.10.y-cip/arm64/qemu_arm64_defconfig:CONFIG_XEN=y
./5.10.y-cip/arm64/qemu_arm64_defconfig:CONFIG_XEN_GNTDEV=y
./5.10.y-
cip/arm64/qemu_arm64_defconfig:CONFIG_XEN_GRANT_DEV_ALLOC=y
./5.10.y-cip/arm64/renesas_defconfig:CONFIG_XEN=y
./4.19.y-cip-rt/arm64/renesas-rt_defconfig:CONFIG_XEN=y
./5.10.y-cip-rt/arm64/renesas-rt_defconfig:CONFIG_XEN=y

Best regards,
Pavel
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Join cip-dev@lists.cip-project.org to automatically receive all group messages.