[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] Passing "allow_unsafe" appears not to workaround protection for CVE-2012-2934

  • To: xen-users@xxxxxxxxxxxxx
  • From: Stephen Nelson-Smith <sanelson@xxxxxxxxx>
  • Date: Thu, 3 Jan 2013 01:41:20 +0000
  • Delivery-date: Thu, 03 Jan 2013 01:42:54 +0000
  • List-id: Xen user discussion <xen-users.lists.xen.org>
Having finished a round of testing in my own lab, I've connected to my
clients test lab, and reproduced my Xen Dom0.

Upon trying a test creation of a DomU, I was intrigued to receive the message:

ERROR    POST operation failed: xend_post: error from xen daemon:
(xend.err 'Error creating domain: Creating domain failed:
name=snstest00')
Domain installation does not appear to have been successful.

Digging a little deeper, I saw in xm dmesg:

(XEN) Xen does not allow DomU creation on this CPU for security reasons.

And also the hint:

(XEN) *** Xen will not allow creation of DomU-s on this CPU for
security reasons. ***
(XEN) *** Pass "allow_unsafe" if you\047re trusting all your (PV)
guest kernels. ***

So, I added allow_unsafe to my kernel parameters and rebooted:

[root@dom0-a ~]# cat /proc/cmdline
placeholder root=/dev/mapper/vg_dom0--a-lv_root ro rd.md=0 rd.dm=0
SYSFONT=True rd.lvm.lv=vg_dom0-a/lv_root KEYTABLE=uk rd.luks=0
rd.lvm.lv=vg_dom0-a/lv_swap LANG=en_US.UTF-8 rhgb noacpi xdriver=vesa
resolution=1024x786 allow_unsafe

However, I still get the same messages in xm dmesg, and I am still
unable to build a DomU.

I'm using a machine with AMD Opteron(tm) Processor 254 chips.

This chipset appears in this CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2934, and is
discussed here:
http://lists.xen.org/archives/html/xen-announce/2012-06/msg00002.html

The announcement explicitly says:

"A command line override is provided to allow users who accept the
risks or who are able to mitigate as above to continue to do so. To
activate the override add "allow_unsafe" to your hypervisor command
line"

This is a test system, and I'm up against some deadlines now, so it's
completely ok to run with this risk in mind, however I can't
understand why passing "allow_unsafe" didn't have the published
effect.

Please help! :)

S.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.