Re: [Xen-devel] XSA-254 SP2 for ARM (was Re: [PATCH 1/5] xen/arm: Introduce enable callback to enable a capabilities on each online CPU)

[Stefano Stabellini <sstabellini@xxxxxxxxxx>]

On Thu, 18 Jan 2018, Julien Grall wrote:
> (+ Security team)
> 
> Hi Stefano,
> 
> On 17/01/18 21:47, Stefano Stabellini wrote:
> > On Wed, 17 Jan 2018, Stefano Stabellini wrote:
> > > On Wed, 17 Jan 2018, Lars Kurth wrote:
> > > >        Regarding README.source, this is covering file and contain the
> > > > same mention as in the commit message. As this is a single function.
> > > > Isn't the commit message
> > > >        enough?
> > > > 
> > > > 
> > > >  From a legal viewpoint it is enough.
> > > 
> > > If that is enough from a legal viewpoint, then it is enough for me.
> > > 
> > > However, from a legal viewpoint, I thought we needed to explicitly
> > > mention all the original signed-off-bys because Julien is not actually
> > > the copyright holder for that function, hence, we need to add the
> > > signed-off-bys of all the missing copyright holders.
> > 
> > Actually, reading again the Developer’s Certificate of Origin, it
> > states:
> > 
> > "The contribution is based upon previous work that, to the best of my
> > knowledge, is covered under an appropriate open source license and I have
> > the right under that license to submit that work with modifications, whether
> > created in whole or in part by me, under the same open source license
> > (unless I am permitted to submit under a different license), as indicated in
> > the file"
> > 
> > so I think Lars is right. In that case, there is no need to resubmit
> > this series, I'll commit to staging as is. If tests go well, I'll
> > backport it to the stable trees.
> Thank you! I have created branches with patches backported up to Xen 4.8. With
> minor changes:
> 
>    - Xen 4.10: No changes
>    - Xen 4.9:
>       * minor conflict in some files
>       * compilation failure in cpuerrata.c (__virt_to_mfn does not exist)
>    - Xen 4.8:
>       * conflict in some files (one medium as the number of "features" is
> different)
>       * compilation failure in cpuerrata.c (__virt_to_mfn does not exist)
>       
> The branches can be found on xenbits [1] : xsa-254-sp2-X.XX where X.XX is the
> version of Xen.
> 
> Xen 4.7 and earlier does not have cpufeature/cpuerrata infrastructure and will
> require backport. The only difficulty here should be finding the list of
> commits required.
> 
> Also, we probably want to update the XSA pointing to the patches. So if
> someone wants to backport to Xen 4.7 (or earlier) they can. Any opinions?

Thank you, Julien. Ideally, I would like to do the backports after
OSSTest passes its tests on those changes. In practice, for the sake of
mitigating SP2 as soon as possible, tomorrow (Friday) I might do the
backports anyway, if OSSTest is still behind on other problems.

I don't think that backporting cpufeature/cpuerrata to 4.7 should be too
convoluted, I'll give that a go as well.

Once done, I'll provide the list of commits to the xen security list so
that the XSA advisory can be updated appropriately.

Cheers,

Stefano


> Cheers,
> 
> [1] https://xenbits.xen.org/git-http/people/julieng/xen-unstable.git

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel