From publicity-bounces@lists.xenproject.org Wed Oct 01 10:00:15 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Wed, 01 Oct 2014 10:00:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZGhj-0003Ya-FG; Wed, 01 Oct 2014 10:00:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZGhh-0003YR-7v for publicity@lists.xenproject.org; Wed, 01 Oct 2014 10:00:13 +0000 Received: from [85.158.137.68:24747] by server-1.bemta-3.messagelabs.com id 15/3C-30185-CA0DB245; Wed, 01 Oct 2014 10:00:12 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-31.messagelabs.com!1412157608!10783134!1 X-Originating-IP: [209.85.212.170] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11048 invoked from network); 1 Oct 2014 10:00:09 -0000 Received: from mail-wi0-f170.google.com (HELO mail-wi0-f170.google.com) (209.85.212.170) by server-10.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 1 Oct 2014 10:00:09 -0000 Received: by mail-wi0-f170.google.com with SMTP id hi2so143045wib.3 for ; Wed, 01 Oct 2014 03:00:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yJip7uOy50qz3Fb/T3pANXYy/SjaF0wbd76OCqwU3NE=; b=vJG3gdDvC/DgocGY17oZHL4XinvX2W8cUok3jEes/L0rNhUMlvaVvvUtGrgprWcV11 8++Njy69KCYGZoRu/J8Zv/JQXSPpnZYsPXkpxU3NjacSVFMd9f5bokz77bH0M9UY3CI4 1nxKhuev50iQlJmfg0eEk987FYVMMW5vCb+X+FR8nFODCmdK7SqSahuj1vxRbF1LSsEY xH2sEmAz6uVTre7YJVIU17xKu29sYfo0nuydZYCzvuHA7Kkvp4rhyZpzSk0s18+pQGpH Xz5DyXx6OEXHHbRBVdKXZvqjzu3LSY+sfyQhacIg9BD7XtSF7Q18qzTr+JrSGXNe2PRW R+OA== X-Received: by 10.180.96.161 with SMTP id dt1mr12756713wib.1.1412157608645; Wed, 01 Oct 2014 03:00:08 -0700 (PDT) Received: from [192.168.0.25] (97e553ce.skybroadband.com. [151.229.83.206]) by mx.google.com with ESMTPSA id q5sm561606wja.49.2014.10.01.03.00.07 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 01 Oct 2014 03:00:07 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Lars Kurth In-Reply-To: <542AE2FE.2070807@eu.citrix.com> Date: Wed, 1 Oct 2014 11:00:05 +0100 Message-Id: <4F100AC9-4B9F-44AF-89E6-7BF0B0C8C012@gmail.com> References: <542AE2FE.2070807@eu.citrix.com> To: George Dunlap X-Mailer: Apple Mail (2.1878.6) Cc: "kbsingh@karan.org" , "publicity@lists.xenproject.org" Subject: Re: [Publicity] FOSDEM talk on CentOS SIGs X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org I think this is good. I would appreciate KB=92s perspective. I think it is = likely that the talk will be rejected though (or bounced to the distro devr= oom) It=92s not normally a topic for the main track Lars On 30 Sep 2014, at 18:06, George Dunlap wrote: > Below is a draft of my submission to FOSDEM for a main track talk on Cent= OS SIGs. Let me know what you think -- the deadline for submission is tomo= rrow. > = > Peace, > -George > = > = > = > * CentOS SIGs: Community packages on an immutable core > = > CentOS is a "distribution" with a rather unique description: it is a free= (gratis) clone of a commercially-supported distribution with all the brand= ing removed. Being Probably say Linux =93distribution" > enterprise-grade distribution means solid, well-tested, and slow-moving; = but it also means not having the latest functionality. It also means havin= g a small enough I would take out slow-moving as it duplicates what you say afterwards It also means used twice > feature set to provide commercial support in a viable manner: and that ty= pically means choosing one technology and sticking with it. > = > But what if you wanted your entire system to be solid, well-tested, and s= low-moving, *except* for one particular package or program? Or what if you= really wanted an How about =93=85 solid and well-tested and add the latest functionality for= one particular =85=94 > enterprise system, but wanted to use one of the alternate technoloies tha= t were not selected? > = > This is where CentOS SIGs come in. The new CentOS is still at its core a= clone of an upstream enterprise distribution. But having had success with= the Xen4CentOS project, which provided a version of Xen to run on CentOS 6= , they have now generalized the process. > = > This talk will talk about CentOS SIGs, and compare and contrast them to o= ther community distro development models like Fedora, OpenSuSE, Debian, Ubu= ntu, and so forth. I would also add: we will also share lessons from the CentOS Virt SIG, in w= hich a number of virtualisation and related technologies such as Xen, oVirt= , Docker and others collaborate Regards Lars _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Wed Oct 01 10:00:15 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Wed, 01 Oct 2014 10:00:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZGhj-0003Ya-FG; Wed, 01 Oct 2014 10:00:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZGhh-0003YR-7v for publicity@lists.xenproject.org; Wed, 01 Oct 2014 10:00:13 +0000 Received: from [85.158.137.68:24747] by server-1.bemta-3.messagelabs.com id 15/3C-30185-CA0DB245; Wed, 01 Oct 2014 10:00:12 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-31.messagelabs.com!1412157608!10783134!1 X-Originating-IP: [209.85.212.170] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 11048 invoked from network); 1 Oct 2014 10:00:09 -0000 Received: from mail-wi0-f170.google.com (HELO mail-wi0-f170.google.com) (209.85.212.170) by server-10.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 1 Oct 2014 10:00:09 -0000 Received: by mail-wi0-f170.google.com with SMTP id hi2so143045wib.3 for ; Wed, 01 Oct 2014 03:00:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=yJip7uOy50qz3Fb/T3pANXYy/SjaF0wbd76OCqwU3NE=; b=vJG3gdDvC/DgocGY17oZHL4XinvX2W8cUok3jEes/L0rNhUMlvaVvvUtGrgprWcV11 8++Njy69KCYGZoRu/J8Zv/JQXSPpnZYsPXkpxU3NjacSVFMd9f5bokz77bH0M9UY3CI4 1nxKhuev50iQlJmfg0eEk987FYVMMW5vCb+X+FR8nFODCmdK7SqSahuj1vxRbF1LSsEY xH2sEmAz6uVTre7YJVIU17xKu29sYfo0nuydZYCzvuHA7Kkvp4rhyZpzSk0s18+pQGpH Xz5DyXx6OEXHHbRBVdKXZvqjzu3LSY+sfyQhacIg9BD7XtSF7Q18qzTr+JrSGXNe2PRW R+OA== X-Received: by 10.180.96.161 with SMTP id dt1mr12756713wib.1.1412157608645; Wed, 01 Oct 2014 03:00:08 -0700 (PDT) Received: from [192.168.0.25] (97e553ce.skybroadband.com. [151.229.83.206]) by mx.google.com with ESMTPSA id q5sm561606wja.49.2014.10.01.03.00.07 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 01 Oct 2014 03:00:07 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Lars Kurth In-Reply-To: <542AE2FE.2070807@eu.citrix.com> Date: Wed, 1 Oct 2014 11:00:05 +0100 Message-Id: <4F100AC9-4B9F-44AF-89E6-7BF0B0C8C012@gmail.com> References: <542AE2FE.2070807@eu.citrix.com> To: George Dunlap X-Mailer: Apple Mail (2.1878.6) Cc: "kbsingh@karan.org" , "publicity@lists.xenproject.org" Subject: Re: [Publicity] FOSDEM talk on CentOS SIGs X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org I think this is good. I would appreciate KB=92s perspective. I think it is = likely that the talk will be rejected though (or bounced to the distro devr= oom) It=92s not normally a topic for the main track Lars On 30 Sep 2014, at 18:06, George Dunlap wrote: > Below is a draft of my submission to FOSDEM for a main track talk on Cent= OS SIGs. Let me know what you think -- the deadline for submission is tomo= rrow. > = > Peace, > -George > = > = > = > * CentOS SIGs: Community packages on an immutable core > = > CentOS is a "distribution" with a rather unique description: it is a free= (gratis) clone of a commercially-supported distribution with all the brand= ing removed. Being Probably say Linux =93distribution" > enterprise-grade distribution means solid, well-tested, and slow-moving; = but it also means not having the latest functionality. It also means havin= g a small enough I would take out slow-moving as it duplicates what you say afterwards It also means used twice > feature set to provide commercial support in a viable manner: and that ty= pically means choosing one technology and sticking with it. > = > But what if you wanted your entire system to be solid, well-tested, and s= low-moving, *except* for one particular package or program? Or what if you= really wanted an How about =93=85 solid and well-tested and add the latest functionality for= one particular =85=94 > enterprise system, but wanted to use one of the alternate technoloies tha= t were not selected? > = > This is where CentOS SIGs come in. The new CentOS is still at its core a= clone of an upstream enterprise distribution. But having had success with= the Xen4CentOS project, which provided a version of Xen to run on CentOS 6= , they have now generalized the process. > = > This talk will talk about CentOS SIGs, and compare and contrast them to o= ther community distro development models like Fedora, OpenSuSE, Debian, Ubu= ntu, and so forth. I would also add: we will also share lessons from the CentOS Virt SIG, in w= hich a number of virtualisation and related technologies such as Xen, oVirt= , Docker and others collaborate Regards Lars _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 14:49:43 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 14:49:43 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZhhP-0001jq-6a; Thu, 02 Oct 2014 14:49:43 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZhhN-0001jg-PO for publicity@lists.xenproject.org; Thu, 02 Oct 2014 14:49:41 +0000 Received: from [85.158.139.211:2165] by server-6.bemta-5.messagelabs.com id E4/C3-06284-5066D245; Thu, 02 Oct 2014 14:49:41 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-13.tower-206.messagelabs.com!1412261378!11681206!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 19431 invoked from network); 2 Oct 2014 14:49:40 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-13.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 14:49:40 -0000 X-IronPort-AV: E=Sophos;i="5.04,638,1406592000"; d="scan'208";a="177505094" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 10:49:08 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZhgq-0005ox-J2; Thu, 02 Oct 2014 15:49:08 +0100 Message-ID: <542D65BE.8000604@eu.citrix.com> Date: Thu, 2 Oct 2014 15:48:30 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: "publicity@lists.xenproject.org" , Andrew Halley X-DLP: MIA1 Subject: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org Hey all, Below is a more technical draft blog post in response to the recent media flurry about XSA-108. If you've updated your blog logins you can also preview the post here: https://blog.xenproject.org/?p=10093&preview=true Let me know if you have any feedback! -George XSA-108: Not the disaster you're looking for There has an unusual amount of media attention to XSA-108, whose embargo period ended Wednesday -- far more than any of the previous 107 vulnerabilities the Xen Project has reported. It began when a blogger noticed that Amazon was telling customers it would be rebooting VMs in certain regions before a specific date -- a date which happened to coincide with the release of XSA-108. He conjectured that the reboots had something to do with that, and further conjectured that, because of the major impact to customers of rebooting, that it must be something very big and important, similar to the recent Heartbleed and Shell Shock vulnerabilities. Amazon confirmed that the reboots had to do with XSA-108, but could say nothing else because of the security embargo. Unfortunately, because of the nature of embargoes, nobody with any actual knowledge of the vulnerability was allowed to say anything about it, and so the media was entirely free to speculate without any actual facts getting in the way. Now that the embargo has lifted, we can talk in detail about the vulnerability; and I'm afraid that people looking for another Shell Shock or Heartbleed are going to be disappointed.

What is the vulnerability?

XSA-108 has to do with the emulation of a piece of hardware called an x2apic. x2apic is an interrupt controller: it allows the operating system to control when and how and where urgent messages from outside the chip, and from other cores within the same chip, are delivered. Interrupt controllers occupy a rather awkward position in the architecture. They are fairly complicated to implement in hardware; which is why they are not yet implemented by Intel's VT hardware. (This may change in the future.) But they are far too performance critical for Xen to pass emulation off to qemu, as it does with virtual disks or virtual networks. This means that they must be emulated within Xen. The actual vulnerability, like most vulnerabilities, is pretty simple. Xen implements 256 x2apic registers. These registers are stored in a buffer big enough to hold exactly 256 registers. However, the limit check for reading these registers was erroneosly set to 1024. What this means is that, without the fix, if you read x2apic registers 0-255, you'll get the correct emulated value from the register buffer; but if you read x2apic registers 256-1023, Xen will copy hypervisor memory from directly afterwards into the guest. So what this bug gives you is the ability to read (and only read) the 12k [1] of memory directly adjacent to where Xen is storing the first 256 registers (and no other area of memory). The fix simply corrects the limit check to 256. The emulated x2apic functionality was introduced in Xen 4.1, so previous versions of Xen are not affected. Neither are PV guests, since Xen does not provide them with any emulated hardware.

The impact

What is the vulnerability?

The impact

What is the vulnerability?

> > XSA-108 has to do with the emulation of a piece of hardware called an > x2apic. x2apic is an interrupt controller: it allows the operating system x2APIC > to control when and how and where urgent messages from outside the chip, and > from other cores within the same chip, are delivered. > > Interrupt controllers occupy a rather awkward position in the architecture. > They are fairly complicated to implement in hardware; which is why they are > not yet implemented by Intel's VT hardware. (This may change in the future.) > But they are far too performance critical for Xen to pass emulation off to > qemu, as it does with virtual disks or virtual networks. This means that QEMU > they must be emulated within Xen. > > The actual vulnerability, like most vulnerabilities, is pretty simple. Xen > implements 256 x2apic registers. These registers are stored in a buffer big > enough to hold exactly 256 registers. However, the limit check for reading > these registers was erroneosly set to 1024. > > What this means is that, without the fix, if you read x2apic registers > 0-255, you'll get the correct emulated value from the register buffer; but > if you read x2apic registers 256-1023, Xen will copy hypervisor memory from > directly afterwards into the guest. > > So what this bug gives you is the ability to read (and only read) the 12k > [1] of memory directly adjacent to where Xen is storing the first 256 > registers (and no other area of memory). > > The fix simply corrects the limit check to 256. > > The emulated x2apic functionality was introduced in Xen 4.1, so previous > versions of Xen are not affected. Neither are PV guests, since Xen does not > provide them with any emulated hardware. > >

The impact

> > If this seems like a relatively minor issue, that's because it is. The most > likely scenario is that that 12k of memory contains other Xen data > structures which contain no important information. There is, however, a > small chance that this memory might contain memory from another VM; > and a small chance that this memory might contain sensitive > information, like passwords, encryption keys, or other private data. > > Nonetheless, this is a security issue, and the XenProject takes all > potential security issues very seriously, no matter how minor. We have a > mature process in > place to notify cloud providers, distributions, and software providers so > that they can have a fix in place before publicly disclosing any > vulnerability. > > Applying security patches proactively, even though there's very low risk > that anyone might have their secret data leaked because of it, is a > conscientious and diligient thing to do. We're glad to see that so many > cloud providers using Xen are demonstrating how seriously they take > protecting customer data. > > But it is by no means a disaster. Those looking for a major scandal like > Heartbleed and Shellshocker will be disappointed. > > > [1] You may see this reported elsewhere as 3k; saying either 3k or 12k is > simplifiying the truth in different ways. The MSR data is laid out as a > 16-byte structure, of which only the first four bytes (one 32-bit word) can > be read by this vulnerability. So the actual amount of data which is > exposed is 3k, but it's spread out in 4-byte chunks across 12k of memory. > > > _______________________________________________ > Publicity mailing list > Publicity@lists.xenproject.org > http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:38:51 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:38:51 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZiSw-0004S0-5g; Thu, 02 Oct 2014 15:38:50 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZiSu-0004Rv-OW for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:38:48 +0000 Received: from [85.158.143.35:5488] by server-1.bemta-4.messagelabs.com id 6B/85-05872-8817D245; Thu, 02 Oct 2014 15:38:48 +0000 X-Env-Sender: konrad.wilk@oracle.com X-Msg-Ref: server-4.tower-21.messagelabs.com!1412264326!13423764!1 X-Originating-IP: [141.146.126.69] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogMTQxLjE0Ni4xMjYuNjkgPT4gMjc3MjE4\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28068 invoked from network); 2 Oct 2014 15:38:47 -0000 Received: from aserp1040.oracle.com (HELO aserp1040.oracle.com) (141.146.126.69) by server-4.tower-21.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Oct 2014 15:38:47 -0000 Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id s92Fcc9M002675 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 2 Oct 2014 15:38:39 GMT Received: from userz7022.oracle.com (userz7022.oracle.com [156.151.31.86]) by ucsinet22.oracle.com (8.14.5+Sun/8.14.5) with ESMTP id s92Fcb13023827 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 2 Oct 2014 15:38:38 GMT Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14]) by userz7022.oracle.com (8.14.5+Sun/8.14.4) with ESMTP id s92FcaSH023775; Thu, 2 Oct 2014 15:38:37 GMT Received: from laptop.dumpdata.com (/50.195.21.189) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Thu, 02 Oct 2014 08:38:36 -0700 Received: by laptop.dumpdata.com (Postfix, from userid 1000) id 9D3BAEA892; Thu, 2 Oct 2014 11:38:35 -0400 (EDT) Date: Thu, 2 Oct 2014 11:38:35 -0400 From: Konrad Rzeszutek Wilk To: George Dunlap Message-ID: <20141002153835.GF32249@laptop.dumpdata.com> References: <542D65BE.8000604@eu.citrix.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <542D65BE.8000604@eu.citrix.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On Thu, Oct 02, 2014 at 03:48:30PM +0100, George Dunlap wrote: > Hey all, > > Below is a more technical draft blog post in response to the recent media > flurry about XSA-108. If you've updated your blog logins you can also > preview the post here: https://blog.xenproject.org/?p=10093&preview=true > > Let me know if you have any feedback! You might want to add that Linux guests that run in HVM mode don't enable x2APIC mode at all - as they end up using the PVHVM route which ends up using events. This does affect 'true' HVM guests. > > -George > > XSA-108: Not the disaster you're looking for > > There has an unusual amount of media attention to XSA-108, whose embargo > period ended Wednesday -- far more than any of the previous 107 > vulnerabilities the Xen Project has reported. It began when a blogger > noticed that Amazon was telling customers it would be rebooting VMs in > certain regions before a specific date -- a date which happened to coincide > with the release of XSA-108. He conjectured that the reboots had something > to do with that, and further conjectured that, because of the major impact > to customers of rebooting, that it must be something very big and important, > similar to the recent Heartbleed and Shell Shock vulnerabilities. Amazon > confirmed that the reboots had to do with XSA-108, but could say nothing > else because of the security embargo. > > Unfortunately, because of the nature of embargoes, nobody with any actual > knowledge of the vulnerability was allowed to say anything about it, and so > the media was entirely free to speculate without any actual facts getting in > the way. > > Now that the embargo has lifted, we can talk in detail about the > vulnerability; and I'm afraid that people looking for another Shell Shock or > Heartbleed are going to be disappointed. > >

What is the vulnerability?

The impact

> > If this seems like a relatively minor issue, that's because it is. The most > likely scenario is that that 12k of memory contains other Xen data > structures which contain no important information. There is, however, a > small chance that this memory might contain memory from another VM; > and a small chance that this memory might contain sensitive > information, like passwords, encryption keys, or other private data. > > Nonetheless, this is a security issue, and the XenProject takes all > potential security issues very seriously, no matter how minor. We have a > mature process in > place to notify cloud providers, distributions, and software providers so > that they can have a fix in place before publicly disclosing any > vulnerability. > > Applying security patches proactively, even though there's very low risk > that anyone might have their secret data leaked because of it, is a > conscientious and diligient thing to do. We're glad to see that so many > cloud providers using Xen are demonstrating how seriously they take > protecting customer data. > > But it is by no means a disaster. Those looking for a major scandal like > Heartbleed and Shellshocker will be disappointed. > > > [1] You may see this reported elsewhere as 3k; saying either 3k or 12k is > simplifiying the truth in different ways. The MSR data is laid out as a > 16-byte structure, of which only the first four bytes (one 32-bit word) can > be read by this vulnerability. So the actual amount of data which is > exposed is 3k, but it's spread out in 4-byte chunks across 12k of memory. > > > _______________________________________________ > Publicity mailing list > Publicity@lists.xenproject.org > http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:41:09 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:41:09 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZiVB-0004UZ-Cf; Thu, 02 Oct 2014 15:41:09 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZiVA-0004UU-PD for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:41:08 +0000 Received: from [85.158.139.211:39335] by server-11.bemta-5.messagelabs.com id 1E/62-11011-3127D245; Thu, 02 Oct 2014 15:41:07 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-12.tower-206.messagelabs.com!1412264465!11665682!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10884 invoked from network); 2 Oct 2014 15:41:07 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-12.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 15:41:07 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="178598691" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 11:41:03 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZiV5-0006Ya-Ld; Thu, 02 Oct 2014 16:41:03 +0100 Message-ID: <542D71E9.5060505@eu.citrix.com> Date: Thu, 2 Oct 2014 16:40:25 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Konrad Rzeszutek Wilk References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> In-Reply-To: <20141002153835.GF32249@laptop.dumpdata.com> X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 10/02/2014 04:38 PM, Konrad Rzeszutek Wilk wrote: > On Thu, Oct 02, 2014 at 03:48:30PM +0100, George Dunlap wrote: >> Hey all, >> >> Below is a more technical draft blog post in response to the recent media >> flurry about XSA-108. If you've updated your blog logins you can also >> preview the post here: https://blog.xenproject.org/?p=10093&preview=true >> >> Let me know if you have any feedback! > You might want to add that Linux guests that run in HVM mode don't enable > x2APIC mode at all - as they end up using the PVHVM route which ends up > using events. > > This does affect 'true' HVM guests. But you could only exploit this if you have control of the guest OS; and if you have that, you can enable the x2APIC, right? > >> -George >> >> XSA-108: Not the disaster you're looking for >> >> There has an unusual amount of media attention to XSA-108, whose embargo >> period ended Wednesday -- far more than any of the previous 107 >> vulnerabilities the Xen Project has reported. It began when a blogger >> noticed that Amazon was telling customers it would be rebooting VMs in >> certain regions before a specific date -- a date which happened to coincide >> with the release of XSA-108. He conjectured that the reboots had something >> to do with that, and further conjectured that, because of the major impact >> to customers of rebooting, that it must be something very big and important, >> similar to the recent Heartbleed and Shell Shock vulnerabilities. Amazon >> confirmed that the reboots had to do with XSA-108, but could say nothing >> else because of the security embargo. >> >> Unfortunately, because of the nature of embargoes, nobody with any actual >> knowledge of the vulnerability was allowed to say anything about it, and so >> the media was entirely free to speculate without any actual facts getting in >> the way. >> >> Now that the embargo has lifted, we can talk in detail about the >> vulnerability; and I'm afraid that people looking for another Shell Shock or >> Heartbleed are going to be disappointed. >> >>

What is the vulnerability?

>> >> XSA-108 has to do with the emulation of a piece of hardware called an >> x2apic. x2apic is an interrupt controller: it allows the operating system > x2APIC > >> to control when and how and where urgent messages from outside the chip, and >> from other cores within the same chip, are delivered. >> >> Interrupt controllers occupy a rather awkward position in the architecture. >> They are fairly complicated to implement in hardware; which is why they are >> not yet implemented by Intel's VT hardware. (This may change in the future.) >> But they are far too performance critical for Xen to pass emulation off to >> qemu, as it does with virtual disks or virtual networks. This means that > QEMU Do I have to? :-) I think it looks much nicer as "qemu"... -George _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:56:42 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:56:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZikE-0005Hf-4s; Thu, 02 Oct 2014 15:56:42 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZikC-0005HZ-SO for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:56:40 +0000 Received: from [85.158.143.35:13853] by server-1.bemta-4.messagelabs.com id 25/E2-05872-8B57D245; Thu, 02 Oct 2014 15:56:40 +0000 X-Env-Sender: Stefano.Stabellini@citrix.com X-Msg-Ref: server-14.tower-21.messagelabs.com!1412265398!13519334!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25423 invoked from network); 2 Oct 2014 15:56:39 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-14.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 15:56:39 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177535431" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 11:54:11 -0400 Received: from kaball.uk.xensource.com ([10.80.2.59]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZihm-0006ks-Vx; Thu, 02 Oct 2014 16:54:10 +0100 Date: Thu, 2 Oct 2014 16:52:03 +0100 From: Stefano Stabellini X-X-Sender: sstabellini@kaball.uk.xensource.com To: George Dunlap In-Reply-To: <542D71E9.5060505@eu.citrix.com> Message-ID: References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> <542D71E9.5060505@eu.citrix.com> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On Thu, 2 Oct 2014, George Dunlap wrote: > > > to control when and how and where urgent messages from outside the chip, > > > and > > > from other cores within the same chip, are delivered. > > > > > > Interrupt controllers occupy a rather awkward position in the > > > architecture. > > > They are fairly complicated to implement in hardware; which is why they > > > are > > > not yet implemented by Intel's VT hardware. (This may change in the > > > future.) > > > But they are far too performance critical for Xen to pass emulation off to > > > qemu, as it does with virtual disks or virtual networks. This means that > > QEMU > > Do I have to? :-) I think it looks much nicer as "qemu"... It's a few years now that they have started enforcing the name of the project as "QEMU" everywhere. _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:56:42 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:56:42 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZikE-0005Hf-4s; Thu, 02 Oct 2014 15:56:42 +0000 Received: from mail6.bemta4.messagelabs.com ([85.158.143.247]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZikC-0005HZ-SO for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:56:40 +0000 Received: from [85.158.143.35:13853] by server-1.bemta-4.messagelabs.com id 25/E2-05872-8B57D245; Thu, 02 Oct 2014 15:56:40 +0000 X-Env-Sender: Stefano.Stabellini@citrix.com X-Msg-Ref: server-14.tower-21.messagelabs.com!1412265398!13519334!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 25423 invoked from network); 2 Oct 2014 15:56:39 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-14.tower-21.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 15:56:39 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177535431" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 11:54:11 -0400 Received: from kaball.uk.xensource.com ([10.80.2.59]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZihm-0006ks-Vx; Thu, 02 Oct 2014 16:54:10 +0100 Date: Thu, 2 Oct 2014 16:52:03 +0100 From: Stefano Stabellini X-X-Sender: sstabellini@kaball.uk.xensource.com To: George Dunlap In-Reply-To: <542D71E9.5060505@eu.citrix.com> Message-ID: References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> <542D71E9.5060505@eu.citrix.com> User-Agent: Alpine 2.02 (DEB 1266 2009-07-14) MIME-Version: 1.0 X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On Thu, 2 Oct 2014, George Dunlap wrote: > > > to control when and how and where urgent messages from outside the chip, > > > and > > > from other cores within the same chip, are delivered. > > > > > > Interrupt controllers occupy a rather awkward position in the > > > architecture. > > > They are fairly complicated to implement in hardware; which is why they > > > are > > > not yet implemented by Intel's VT hardware. (This may change in the > > > future.) > > > But they are far too performance critical for Xen to pass emulation off to > > > qemu, as it does with virtual disks or virtual networks. This means that > > QEMU > > Do I have to? :-) I think it looks much nicer as "qemu"... It's a few years now that they have started enforcing the name of the project as "QEMU" everywhere. _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:59:07 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:59:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZimZ-0005NZ-Ok; Thu, 02 Oct 2014 15:59:07 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZimV-0005NJ-RC for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:59:06 +0000 Received: from [85.158.139.211:62507] by server-14.bemta-5.messagelabs.com id E1/4E-12422-7467D245; Thu, 02 Oct 2014 15:59:03 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-16.tower-206.messagelabs.com!1412265539!8784836!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 637 invoked from network); 2 Oct 2014 15:59:02 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-16.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 15:59:02 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177536419" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 11:56:26 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZijy-0006n9-E2; Thu, 02 Oct 2014 16:56:26 +0100 Message-ID: <542D7584.5030204@eu.citrix.com> Date: Thu, 2 Oct 2014 16:55:48 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Stefano Stabellini References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> <542D71E9.5060505@eu.citrix.com> In-Reply-To: X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 10/02/2014 04:52 PM, Stefano Stabellini wrote: > On Thu, 2 Oct 2014, George Dunlap wrote: >>>> to control when and how and where urgent messages from outside the chip, >>>> and >>>> from other cores within the same chip, are delivered. >>>> >>>> Interrupt controllers occupy a rather awkward position in the >>>> architecture. >>>> They are fairly complicated to implement in hardware; which is why they >>>> are >>>> not yet implemented by Intel's VT hardware. (This may change in the >>>> future.) >>>> But they are far too performance critical for Xen to pass emulation off to >>>> qemu, as it does with virtual disks or virtual networks. This means that >>> QEMU >> Do I have to? :-) I think it looks much nicer as "qemu"... > It's a few years now that they have started enforcing the name of the > project as "QEMU" everywhere. *sigh* Very well... -G _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 15:59:07 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 15:59:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZimZ-0005NZ-Ok; Thu, 02 Oct 2014 15:59:07 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZimV-0005NJ-RC for publicity@lists.xenproject.org; Thu, 02 Oct 2014 15:59:06 +0000 Received: from [85.158.139.211:62507] by server-14.bemta-5.messagelabs.com id E1/4E-12422-7467D245; Thu, 02 Oct 2014 15:59:03 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-16.tower-206.messagelabs.com!1412265539!8784836!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 637 invoked from network); 2 Oct 2014 15:59:02 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-16.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 15:59:02 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177536419" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 11:56:26 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZijy-0006n9-E2; Thu, 02 Oct 2014 16:56:26 +0100 Message-ID: <542D7584.5030204@eu.citrix.com> Date: Thu, 2 Oct 2014 16:55:48 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Stefano Stabellini References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> <542D71E9.5060505@eu.citrix.com> In-Reply-To: X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 10/02/2014 04:52 PM, Stefano Stabellini wrote: > On Thu, 2 Oct 2014, George Dunlap wrote: >>>> to control when and how and where urgent messages from outside the chip, >>>> and >>>> from other cores within the same chip, are delivered. >>>> >>>> Interrupt controllers occupy a rather awkward position in the >>>> architecture. >>>> They are fairly complicated to implement in hardware; which is why they >>>> are >>>> not yet implemented by Intel's VT hardware. (This may change in the >>>> future.) >>>> But they are far too performance critical for Xen to pass emulation off to >>>> qemu, as it does with virtual disks or virtual networks. This means that >>> QEMU >> Do I have to? :-) I think it looks much nicer as "qemu"... > It's a few years now that they have started enforcing the name of the > project as "QEMU" everywhere. *sigh* Very well... -G _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:01:07 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:01:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZioU-0005rP-Ug; Thu, 02 Oct 2014 16:01:06 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZioU-0005rJ-0M for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:01:06 +0000 Received: from [85.158.139.211:32930] by server-9.bemta-5.messagelabs.com id 0E/8C-20744-1C67D245; Thu, 02 Oct 2014 16:01:05 +0000 X-Env-Sender: anil@recoil.org X-Msg-Ref: server-11.tower-206.messagelabs.com!1412265664!7555391!1 X-Originating-IP: [5.153.225.51] X-SpamReason: No, hits=0.7 required=7.0 tests=BODY_RANDOM_LONG, RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28853 invoked from network); 2 Oct 2014 16:01:04 -0000 Received: from bark.recoil.org (HELO bark.recoil.org) (5.153.225.51) by server-11.tower-206.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Oct 2014 16:01:04 -0000 Received: from [192.168.15.34] (no-dns-yet.demon.co.uk [62.49.66.12]); by bark.recoil.org (OpenSMTPD) with ESMTPSA id e5ec3bae; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; Thu, 2 Oct 2014 17:02:41 +0100 (BST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Anil Madhavapeddy In-Reply-To: <542D65BE.8000604@eu.citrix.com> Date: Thu, 2 Oct 2014 17:00:59 +0100 Message-Id: <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> References: <542D65BE.8000604@eu.citrix.com> To: George Dunlap X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 15:48, George Dunlap wrote: > There has an unusual amount of media attention to XSA-108, whose embargo period ended Wednesday -- far more than any of the previous 107 vulnerabilities the Xen Project has reported. Great post -- it might be worth putting the 107 previous vulnerabilities in a causal context; e.g. "far more than any of the previous 107 vulnerabilities the Xen Project has reported over the previous decade." or else "107" seems like an awfully large number :-) -anil _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:01:07 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:01:07 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZioU-0005rP-Ug; Thu, 02 Oct 2014 16:01:06 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZioU-0005rJ-0M for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:01:06 +0000 Received: from [85.158.139.211:32930] by server-9.bemta-5.messagelabs.com id 0E/8C-20744-1C67D245; Thu, 02 Oct 2014 16:01:05 +0000 X-Env-Sender: anil@recoil.org X-Msg-Ref: server-11.tower-206.messagelabs.com!1412265664!7555391!1 X-Originating-IP: [5.153.225.51] X-SpamReason: No, hits=0.7 required=7.0 tests=BODY_RANDOM_LONG, RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 28853 invoked from network); 2 Oct 2014 16:01:04 -0000 Received: from bark.recoil.org (HELO bark.recoil.org) (5.153.225.51) by server-11.tower-206.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Oct 2014 16:01:04 -0000 Received: from [192.168.15.34] (no-dns-yet.demon.co.uk [62.49.66.12]); by bark.recoil.org (OpenSMTPD) with ESMTPSA id e5ec3bae; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; Thu, 2 Oct 2014 17:02:41 +0100 (BST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Anil Madhavapeddy In-Reply-To: <542D65BE.8000604@eu.citrix.com> Date: Thu, 2 Oct 2014 17:00:59 +0100 Message-Id: <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> References: <542D65BE.8000604@eu.citrix.com> To: George Dunlap X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 15:48, George Dunlap wrote: > There has an unusual amount of media attention to XSA-108, whose embargo period ended Wednesday -- far more than any of the previous 107 vulnerabilities the Xen Project has reported. Great post -- it might be worth putting the 107 previous vulnerabilities in a causal context; e.g. "far more than any of the previous 107 vulnerabilities the Xen Project has reported over the previous decade." or else "107" seems like an awfully large number :-) -anil _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:17:50 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:17:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZj4g-0006Vn-63; Thu, 02 Oct 2014 16:17:50 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZj4f-0006Vi-A5 for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:17:49 +0000 Received: from [85.158.137.68:29600] by server-9.bemta-3.messagelabs.com id 86/FE-30790-CAA7D245; Thu, 02 Oct 2014 16:17:48 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-11.tower-31.messagelabs.com!1412266666!11175296!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23304 invoked from network); 2 Oct 2014 16:17:48 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-11.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 16:17:48 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177546164" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 12:15:48 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZj2i-00074B-DB; Thu, 02 Oct 2014 17:15:48 +0100 Message-ID: <542D7A0E.2090605@eu.citrix.com> Date: Thu, 2 Oct 2014 17:15:10 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Anil Madhavapeddy References: <542D65BE.8000604@eu.citrix.com> <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> In-Reply-To: <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 10/02/2014 05:00 PM, Anil Madhavapeddy wrote: > On 2 Oct 2014, at 15:48, George Dunlap wrote: > >> There has an unusual amount of media attention to XSA-108, whose embargo period ended Wednesday -- far more than any of the previous 107 vulnerabilities the Xen Project has reported. > Great post -- it might be worth putting the 107 previous vulnerabilities in a causal context; e.g. > > "far more than any of the previous 107 vulnerabilities the Xen Project has reported over the previous decade." > > or else "107" seems like an awfully large number :-) Well XSA-1 was in 2011, 3.5 years ago. :-) I agree, that number out of context could be misinterpreted; I'll see what I can do to reword that. -George _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:17:50 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:17:50 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZj4g-0006Vn-63; Thu, 02 Oct 2014 16:17:50 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZj4f-0006Vi-A5 for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:17:49 +0000 Received: from [85.158.137.68:29600] by server-9.bemta-3.messagelabs.com id 86/FE-30790-CAA7D245; Thu, 02 Oct 2014 16:17:48 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-11.tower-31.messagelabs.com!1412266666!11175296!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 23304 invoked from network); 2 Oct 2014 16:17:48 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-11.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 16:17:48 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="177546164" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 12:15:48 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZj2i-00074B-DB; Thu, 02 Oct 2014 17:15:48 +0100 Message-ID: <542D7A0E.2090605@eu.citrix.com> Date: Thu, 2 Oct 2014 17:15:10 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: Anil Madhavapeddy References: <542D65BE.8000604@eu.citrix.com> <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> In-Reply-To: <9F0C1689-5FFB-43A5-B111-9FA752AEAE1F@recoil.org> X-DLP: MIA1 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 10/02/2014 05:00 PM, Anil Madhavapeddy wrote: > On 2 Oct 2014, at 15:48, George Dunlap wrote: > >> There has an unusual amount of media attention to XSA-108, whose embargo period ended Wednesday -- far more than any of the previous 107 vulnerabilities the Xen Project has reported. > Great post -- it might be worth putting the 107 previous vulnerabilities in a causal context; e.g. > > "far more than any of the previous 107 vulnerabilities the Xen Project has reported over the previous decade." > > or else "107" seems like an awfully large number :-) Well XSA-1 was in 2011, 3.5 years ago. :-) I agree, that number out of context could be misinterpreted; I'll see what I can do to reword that. -George _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:27:04 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:27:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjDc-0006sN-L1; Thu, 02 Oct 2014 16:27:04 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjDa-0006s9-6C for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:27:02 +0000 Received: from [85.158.139.211:24487] by server-15.bemta-5.messagelabs.com id B4/4B-12002-5DC7D245; Thu, 02 Oct 2014 16:27:01 +0000 X-Env-Sender: anil@recoil.org X-Msg-Ref: server-15.tower-206.messagelabs.com!1412267220!8316667!1 X-Originating-IP: [5.153.225.51] X-SpamReason: No, hits=0.2 required=7.0 tests=RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12139 invoked from network); 2 Oct 2014 16:27:01 -0000 Received: from bark.recoil.org (HELO bark.recoil.org) (5.153.225.51) by server-15.tower-206.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Oct 2014 16:27:01 -0000 Received: from [192.168.15.34] (no-dns-yet.demon.co.uk [62.49.66.12]); by bark.recoil.org (OpenSMTPD) with ESMTPSA id 3e228bed; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; Thu, 2 Oct 2014 17:28:38 +0100 (BST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Anil Madhavapeddy In-Reply-To: <20141002153835.GF32249@laptop.dumpdata.com> Date: Thu, 2 Oct 2014 17:26:56 +0100 Message-Id: <728470F7-3D4A-44F5-875A-50693228CC2A@recoil.org> References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> To: Konrad Rzeszutek Wilk X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 16:38, Konrad Rzeszutek Wilk wrote: > On Thu, Oct 02, 2014 at 03:48:30PM +0100, George Dunlap wrote: >> Hey all, >> >> Below is a more technical draft blog post in response to the recent media >> flurry about XSA-108. If you've updated your blog logins you can also >> preview the post here: https://blog.xenproject.org/?p=10093&preview=true >> >> Let me know if you have any feedback! > > You might want to add that Linux guests that run in HVM mode don't enable > x2APIC mode at all - as they end up using the PVHVM route which ends up > using events. > > This does affect 'true' HVM guests. This is pretty confusing -- I've seen quite a few people asking if the vulnerability affected PVH guests, which is distinct from Linux activating PV mode when running inside a HVM container, and also distinct from a Windows HVM guest without PV drivers. Perhaps throwing a bit more explanation in about the various HVM boot modes would help allay some of that confusion, or just explicitly having a table with common guest OSs, what modes they use, and if they're affected or not. Rackspace, for example, expose this terminology to their users by giving you the option of booting an Ubuntu PV or PVH guest as separate templates. I have no idea why they do that since I'm not aware of any application compatibility that's enabled by running in PVH mode -- it seems like a hosting decision rather than one that the user should care about. -anil _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 16:27:04 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 16:27:04 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjDc-0006sN-L1; Thu, 02 Oct 2014 16:27:04 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjDa-0006s9-6C for publicity@lists.xenproject.org; Thu, 02 Oct 2014 16:27:02 +0000 Received: from [85.158.139.211:24487] by server-15.bemta-5.messagelabs.com id B4/4B-12002-5DC7D245; Thu, 02 Oct 2014 16:27:01 +0000 X-Env-Sender: anil@recoil.org X-Msg-Ref: server-15.tower-206.messagelabs.com!1412267220!8316667!1 X-Originating-IP: [5.153.225.51] X-SpamReason: No, hits=0.2 required=7.0 tests=RCVD_ILLEGAL_IP X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12139 invoked from network); 2 Oct 2014 16:27:01 -0000 Received: from bark.recoil.org (HELO bark.recoil.org) (5.153.225.51) by server-15.tower-206.messagelabs.com with DHE-RSA-AES256-SHA encrypted SMTP; 2 Oct 2014 16:27:01 -0000 Received: from [192.168.15.34] (no-dns-yet.demon.co.uk [62.49.66.12]); by bark.recoil.org (OpenSMTPD) with ESMTPSA id 3e228bed; TLS version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO; Thu, 2 Oct 2014 17:28:38 +0100 (BST) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Anil Madhavapeddy In-Reply-To: <20141002153835.GF32249@laptop.dumpdata.com> Date: Thu, 2 Oct 2014 17:26:56 +0100 Message-Id: <728470F7-3D4A-44F5-875A-50693228CC2A@recoil.org> References: <542D65BE.8000604@eu.citrix.com> <20141002153835.GF32249@laptop.dumpdata.com> To: Konrad Rzeszutek Wilk X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 16:38, Konrad Rzeszutek Wilk wrote: > On Thu, Oct 02, 2014 at 03:48:30PM +0100, George Dunlap wrote: >> Hey all, >> >> Below is a more technical draft blog post in response to the recent media >> flurry about XSA-108. If you've updated your blog logins you can also >> preview the post here: https://blog.xenproject.org/?p=10093&preview=true >> >> Let me know if you have any feedback! > > You might want to add that Linux guests that run in HVM mode don't enable > x2APIC mode at all - as they end up using the PVHVM route which ends up > using events. > > This does affect 'true' HVM guests. This is pretty confusing -- I've seen quite a few people asking if the vulnerability affected PVH guests, which is distinct from Linux activating PV mode when running inside a HVM container, and also distinct from a Windows HVM guest without PV drivers. Perhaps throwing a bit more explanation in about the various HVM boot modes would help allay some of that confusion, or just explicitly having a table with common guest OSs, what modes they use, and if they're affected or not. Rackspace, for example, expose this terminology to their users by giving you the option of booting an Ubuntu PV or PVH guest as separate templates. I have no idea why they do that since I'm not aware of any application compatibility that's enabled by running in PVH mode -- it seems like a hosting decision rather than one that the user should care about. -anil _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:10:13 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:10:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjtM-0000ID-DC; Thu, 02 Oct 2014 17:10:12 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjtK-0000HE-RD for publicity@lists.xenproject.org; Thu, 02 Oct 2014 17:10:10 +0000 Received: from [85.158.137.68:57633] by server-17.bemta-3.messagelabs.com id 57/C5-01689-2F68D245; Thu, 02 Oct 2014 17:10:10 +0000 X-Env-Sender: Ian.Jackson@citrix.com X-Msg-Ref: server-8.tower-31.messagelabs.com!1412269808!11181217!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27984 invoked from network); 2 Oct 2014 17:10:09 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-8.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 17:10:09 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="178635188" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 13:10:07 -0400 Received: from mariner.uk.xensource.com ([10.80.2.22]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZjtG-0007np-Lq; Thu, 02 Oct 2014 18:10:06 +0100 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.80) (envelope-from ) id 1XZjtG-0007ER-E1; Thu, 02 Oct 2014 18:10:06 +0100 From: Ian Jackson MIME-Version: 1.0 Message-ID: <21549.34542.272159.795058@mariner.uk.xensource.com> Date: Thu, 2 Oct 2014 18:10:06 +0100 To: George Dunlap In-Reply-To: <542D65BE.8000604@eu.citrix.com> References: <542D65BE.8000604@eu.citrix.com> X-Mailer: VM 8.1.0 under 23.4.1 (i486-pc-linux-gnu) X-DLP: MIA2 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org George Dunlap writes ("[Publicity] Draft technical blog post"): > Below is a more technical draft blog post in response to the recent > media flurry about XSA-108. If you've updated your blog logins you can > also preview the post here: > https://blog.xenproject.org/?p=10093&preview=true Thanks. I think this is an excellent blog post. Ian. _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:10:13 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:10:13 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjtM-0000ID-DC; Thu, 02 Oct 2014 17:10:12 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZjtK-0000HE-RD for publicity@lists.xenproject.org; Thu, 02 Oct 2014 17:10:10 +0000 Received: from [85.158.137.68:57633] by server-17.bemta-3.messagelabs.com id 57/C5-01689-2F68D245; Thu, 02 Oct 2014 17:10:10 +0000 X-Env-Sender: Ian.Jackson@citrix.com X-Msg-Ref: server-8.tower-31.messagelabs.com!1412269808!11181217!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27984 invoked from network); 2 Oct 2014 17:10:09 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-8.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 17:10:09 -0000 X-IronPort-AV: E=Sophos;i="5.04,639,1406592000"; d="scan'208";a="178635188" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 13:10:07 -0400 Received: from mariner.uk.xensource.com ([10.80.2.22]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZjtG-0007np-Lq; Thu, 02 Oct 2014 18:10:06 +0100 Received: from iwj by mariner.uk.xensource.com with local (Exim 4.80) (envelope-from ) id 1XZjtG-0007ER-E1; Thu, 02 Oct 2014 18:10:06 +0100 From: Ian Jackson MIME-Version: 1.0 Message-ID: <21549.34542.272159.795058@mariner.uk.xensource.com> Date: Thu, 2 Oct 2014 18:10:06 +0100 To: George Dunlap In-Reply-To: <542D65BE.8000604@eu.citrix.com> References: <542D65BE.8000604@eu.citrix.com> X-Mailer: VM 8.1.0 under 23.4.1 (i486-pc-linux-gnu) X-DLP: MIA2 Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org George Dunlap writes ("[Publicity] Draft technical blog post"): > Below is a more technical draft blog post in response to the recent > media flurry about XSA-108. If you've updated your blog logins you can > also preview the post here: > https://blog.xenproject.org/?p=10093&preview=true Thanks. I think this is an excellent blog post. Ian. _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:34:01 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:34:01 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkGO-0000sF-MC; Thu, 02 Oct 2014 17:34:00 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkGN-0000sA-Dv for publicity@lists.xenproject.org; Thu, 02 Oct 2014 17:33:59 +0000 Received: from [85.158.139.211:48074] by server-6.bemta-5.messagelabs.com id DC/04-06284-68C8D245; Thu, 02 Oct 2014 17:33:58 +0000 X-Env-Sender: George.Dunlap@citrix.com X-Msg-Ref: server-3.tower-206.messagelabs.com!1412271236!4096194!1 X-Originating-IP: [66.165.176.89] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni44OSA9PiAyMDMwMDc=\n X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 10311 invoked from network); 2 Oct 2014 17:33:58 -0000 Received: from smtp.citrix.com (HELO SMTP.CITRIX.COM) (66.165.176.89) by server-3.tower-206.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 17:33:58 -0000 X-IronPort-AV: E=Sophos;i="5.04,640,1406592000"; d="scan'208";a="177578815" Received: from ukmail1.uk.xensource.com (10.80.16.128) by smtprelay.citrix.com (10.13.107.80) with Microsoft SMTP Server id 14.3.181.6; Thu, 2 Oct 2014 13:33:54 -0400 Received: from elijah.uk.xensource.com ([10.80.2.24]) by ukmail1.uk.xensource.com with esmtp (Exim 4.69) (envelope-from ) id 1XZkGH-00087P-W6; Thu, 02 Oct 2014 18:33:53 +0100 Message-ID: <542D8C5B.7020506@eu.citrix.com> Date: Thu, 2 Oct 2014 18:33:15 +0100 From: George Dunlap User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.1 MIME-Version: 1.0 To: "publicity@lists.xenproject.org" , Andrew Halley References: <542D65BE.8000604@eu.citrix.com> In-Reply-To: <542D65BE.8000604@eu.citrix.com> X-DLP: MIA2 Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org Thanks everyone for your comments (both here and on IRC). I've posted an updated draft, and included one inline below. In line with Lars' advice, I'm going to wait until tomorrow morning for more comments before pulling the trigger. Peace, -George XSA-108: Not the vulnerability you're looking for There has an unusual amount of media attention to XSA-108 during the embargo period (which ended Wednesday) -- far more than any of the previous security issues the Xen Project has reported. It began when a blogger complained that Amazon was telling customers it would be rebooting VMs in certain regions before a specific date. Other media outlets picked it up and noticed that the date happened to coincide with the release of XSA-108, and conjectured that the reboots had something to do with that. Soon others were conjecturing that, because of the major impact to customers of rebooting, that it must be something very big and important, similar to the recent Heartbleed and Shell Shock vulnerabilities. Amazon confirmed that the reboots had to do with XSA-108, but could say nothing else because of the security embargo. Unfortunately, because of the nature of embargoes, nobody with any actual knowledge of the vulnerability was allowed to say anything about it, and so the media was entirely free to speculate without any additional information to ground the discussion in reality. Now that the embargo has lifted, we can talk in detail about the vulnerability; and I'm afraid that people looking for another Shell Shock or Heartbleed are going to be disappointed. No catchy name for this one.

What is the vulnerability?

XSA-108 has to do with the emulation of a piece of hardware called an x2APIC. x2APIC is an interrupt controller: it allows the operating system to control when and how and where urgent messages from outside the chip, and from other cores within the same chip, are delivered. Interrupt controllers occupy a rather awkward position in the architecture. They are fairly complicated to implement in hardware; which is why they are not implemented in earlier generations of Intel hardware. (They have been implemented in hardware since the Ivy Bridge architecture came out in mid-2012.) But they are far too performance critical for Xen to pass emulation off to QEMU, as it does with virtual disks or virtual networks. This means that they must be emulated within Xen. The actual vulnerability, like most vulnerabilities, is pretty simple. Xen implements 256 x2APIC registers. These registers are stored in a buffer big enough to hold exactly 256 registers. However, the limit check for reading these registers was erroneosly set to 1024. What this means is that, without the fix, if you read x2APIC registers 0-255, you'll get the correct emulated value from the register buffer; but if you read x2APIC registers 256-1023, Xen will read memory from directly after the register buffer. If that memory is not mapped, Xen will crash; if it is mapped, it will copy it to the guest. So what this bug gives you is the ability to read (and only read) the 12k [1] of memory directly adjacent to where Xen is storing the first 256 registers (and no other area of memory). The fix simply corrects the limit check to 256. The emulated x2APIC functionality was introduced in Xen 4.1, so previous versions of Xen are not affected. Neither are PV guests, since Xen does not provide them with any emulated hardware. Unfortunately, the presence of VT support emulating the x2APIC, available on newer processors, doesn't mitigate the issue: it only implements the 64 registers actually used by real hardware at the moment, leaving Xen to emulate the rest of the registers. If you access registers above 64, it will trap to Xen, and Xen will emulate access to them, allowing you to trigger the bug.

The impact

What is the vulnerability?

The impact

If this seems like a relatively minor issue, that's because it is. The most likely scenario is that that 12k of memory contains other Xen data structures which contain no important information. There is, however, a chance that this memory might contain memory from another VM; and a chance that this memory might contain sensitive information, like passwords, encryption keys, or other private data. Nonetheless, this is a security issue, and the XenProject takes all potential security issues very seriously, no matter how minor. We have a mature process in place to notify cloud providers, distributions, and software providers so that they can have a fix in place before publicly disclosing any vulnerability. Applying security patches proactively, even though there's very low risk that anyone might have their secret data leaked because of it, is a conscientious and diligient thing to do. We're glad to see that so many cloud providers using Xen are demonstrating how seriously they take protecting customer data. But it is by no means a disaster. Those looking for a juicy vulnerability like Heartbleed and Shell Shock will be disappointed. [1] You may see this reported elsewhere as 3k; saying either 3k or 12k is simplifiying the truth in different ways. The MSR data is laid out as a 16-byte structure, of which only the first four bytes (one 32-bit word) can be read by this vulnerability. So the actual amount of data which is exposed is 3k, but it's spread out in 4-byte chunks across 12k of memory. _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:36:28 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:36:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkIl-0000tD-Tc; Thu, 02 Oct 2014 17:36:27 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkIl-0000t8-65 for publicity@lists.xenproject.org; Thu, 02 Oct 2014 17:36:27 +0000 Received: from [193.109.254.147:27341] by server-5.bemta-14.messagelabs.com id E8/FA-28255-A1D8D245; Thu, 02 Oct 2014 17:36:26 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-27.messagelabs.com!1412271385!13058913!1 X-Originating-IP: [209.85.212.171] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5801 invoked from network); 2 Oct 2014 17:36:25 -0000 Received: from mail-wi0-f171.google.com (HELO mail-wi0-f171.google.com) (209.85.212.171) by server-10.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 17:36:25 -0000 Received: by mail-wi0-f171.google.com with SMTP id em10so2199069wid.10 for ; Thu, 02 Oct 2014 10:36:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YUJeNpk7/g3+pAatFV3WKqikUkXFHG4YaDL2q3s1oaA=; b=s60LiFZnqpqptTtt3C3CookpvwgRMG7fEqw7MuKTyjVFMcmbtVL2kId3MQonSmTMuA 20ZzkzzWqwJZMZ/euJiqqSNvXZDp1DTckD+IQaiRF+DrPY0OEanXYyuyfp3SuXMDeoZy MCD2PFHBeUMgsxSv37JYt6076+l63/ilpCChMt3RHdJmKgt1C/oQ2O03ic/29du0tpO0 Q6AFgWpQ43DfZU1JmpyjfgCW1W3+vv2BvOOhtU9kLnQ10Yqpd4TUomqx05O4dOGA0igT Y24en3hOyLJW+yXLhQHWLNESmBMU1x4y8+vf/Urx8Sir9B2nRxtI5zBdkuN+0oCYOfpF 883w== X-Received: by 10.194.133.135 with SMTP id pc7mr492350wjb.54.1412271385520; Thu, 02 Oct 2014 10:36:25 -0700 (PDT) Received: from [10.80.114.159] ([185.25.64.249]) by mx.google.com with ESMTPSA id t8sm1932544wib.8.2014.10.02.10.36.23 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Oct 2014 10:36:24 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Lars Kurth In-Reply-To: <21549.34542.272159.795058@mariner.uk.xensource.com> Date: Thu, 2 Oct 2014 18:36:20 +0100 Message-Id: References: <542D65BE.8000604@eu.citrix.com> <21549.34542.272159.795058@mariner.uk.xensource.com> To: Ian Jackson X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 18:10, Ian Jackson wrote: > George Dunlap writes ("[Publicity] Draft technical blog post"): >> Below is a more technical draft blog post in response to the recent = >> media flurry about XSA-108. If you've updated your blog logins you can = >> also preview the post here: = >> https://blog.xenproject.org/?p=3D10093&preview=3Dtrue > = > Thanks. I think this is an excellent blog post. > = > Ian. I think this is an excellent post also. In one place you use =93XenProject= =94 instead of =93Xen Project=94. That=92s all I noticed Regards Lars _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:36:28 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:36:28 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkIl-0000tD-Tc; Thu, 02 Oct 2014 17:36:27 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkIl-0000t8-65 for publicity@lists.xenproject.org; Thu, 02 Oct 2014 17:36:27 +0000 Received: from [193.109.254.147:27341] by server-5.bemta-14.messagelabs.com id E8/FA-28255-A1D8D245; Thu, 02 Oct 2014 17:36:26 +0000 X-Env-Sender: lars.kurth.xen@gmail.com X-Msg-Ref: server-10.tower-27.messagelabs.com!1412271385!13058913!1 X-Originating-IP: [209.85.212.171] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 6.12.2; banners=-,-,- X-VirusChecked: Checked Received: (qmail 5801 invoked from network); 2 Oct 2014 17:36:25 -0000 Received: from mail-wi0-f171.google.com (HELO mail-wi0-f171.google.com) (209.85.212.171) by server-10.tower-27.messagelabs.com with RC4-SHA encrypted SMTP; 2 Oct 2014 17:36:25 -0000 Received: by mail-wi0-f171.google.com with SMTP id em10so2199069wid.10 for ; Thu, 02 Oct 2014 10:36:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=YUJeNpk7/g3+pAatFV3WKqikUkXFHG4YaDL2q3s1oaA=; b=s60LiFZnqpqptTtt3C3CookpvwgRMG7fEqw7MuKTyjVFMcmbtVL2kId3MQonSmTMuA 20ZzkzzWqwJZMZ/euJiqqSNvXZDp1DTckD+IQaiRF+DrPY0OEanXYyuyfp3SuXMDeoZy MCD2PFHBeUMgsxSv37JYt6076+l63/ilpCChMt3RHdJmKgt1C/oQ2O03ic/29du0tpO0 Q6AFgWpQ43DfZU1JmpyjfgCW1W3+vv2BvOOhtU9kLnQ10Yqpd4TUomqx05O4dOGA0igT Y24en3hOyLJW+yXLhQHWLNESmBMU1x4y8+vf/Urx8Sir9B2nRxtI5zBdkuN+0oCYOfpF 883w== X-Received: by 10.194.133.135 with SMTP id pc7mr492350wjb.54.1412271385520; Thu, 02 Oct 2014 10:36:25 -0700 (PDT) Received: from [10.80.114.159] ([185.25.64.249]) by mx.google.com with ESMTPSA id t8sm1932544wib.8.2014.10.02.10.36.23 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Oct 2014 10:36:24 -0700 (PDT) Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) From: Lars Kurth In-Reply-To: <21549.34542.272159.795058@mariner.uk.xensource.com> Date: Thu, 2 Oct 2014 18:36:20 +0100 Message-Id: References: <542D65BE.8000604@eu.citrix.com> <21549.34542.272159.795058@mariner.uk.xensource.com> To: Ian Jackson X-Mailer: Apple Mail (2.1878.6) Cc: Andrew Halley , "publicity@lists.xenproject.org" Subject: Re: [Publicity] Draft technical blog post X-BeenThere: publicity@lists.xenproject.org X-Mailman-Version: 2.1.13 Precedence: list List-Id: "List for Xen Publicity, PR and events" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable Sender: publicity-bounces@lists.xenproject.org Errors-To: publicity-bounces@lists.xenproject.org On 2 Oct 2014, at 18:10, Ian Jackson wrote: > George Dunlap writes ("[Publicity] Draft technical blog post"): >> Below is a more technical draft blog post in response to the recent = >> media flurry about XSA-108. If you've updated your blog logins you can = >> also preview the post here: = >> https://blog.xenproject.org/?p=3D10093&preview=3Dtrue > = > Thanks. I think this is an excellent blog post. > = > Ian. I think this is an excellent post also. In one place you use =93XenProject= =94 instead of =93Xen Project=94. That=92s all I noticed Regards Lars _______________________________________________ Publicity mailing list Publicity@lists.xenproject.org http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity From publicity-bounces@lists.xenproject.org Thu Oct 02 17:38:15 2014 Return-path: Envelope-to: archives@lists.xenproject.org Delivery-date: Thu, 02 Oct 2014 17:38:15 +0000 Received: from localhost ([127.0.0.1] helo=lists.xen.org) by lists.xen.org with esmtp (Exim 4.72) (envelope-from ) id 1XZkKV-0000uC-4B; Thu, 02 Oct 2014 17:38:15 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xen.org with esmtp (Exim 4.72) (envelope-from