Xen project Mailing List

Re: Xen Security Advisory 466 v3 (CVE-2024-53241) - Xen hypercall page unsafe against speculative attacks

To: "Xen.org security team" <security@xxxxxxx>, xen-announce@xxxxxxxxxxxxx, xen-devel@xxxxxxxxxxxxx, xen-users@xxxxxxxxxxxxx, oss-security@xxxxxxxxxxxxxxxxxx

From: David Woodhouse <dwmw2@xxxxxxxxxxxxx>

Date: Mon, 23 Dec 2024 14:24:10 +0000

Cc: "Xen.org security team" <security-team-members@xxxxxxx>

Delivery-date: Tue, 24 Dec 2024 16:17:15 +0000

List-id: Xen user discussion <xen-users.lists.xenproject.org>

On Tue, 2024-12-17 at 12:18 +0000, Xen.org security team wrote: > Xen Security Advisory CVE-2024-53241 / XSA-466 > version 3 > > Xen hypercall page unsafe against speculative attacks > > UPDATES IN VERSION 3 > ==================== > > Update of patch 5, public release. Can't we even use the hypercall page early in boot? Surely we have to know whether we're running on an Intel or AMD CPU before we get to the point where we can enable any of the new control-flow integrity support? Do we need to jump through those hoops do do that early detection and setup? Enabling the hypercall page is also one of the two points where Xen will 'latch' that the guest is 64-bit, which affects the layout of the shared_info, vcpu_info and runstate structures. The other such latching point is when the guest sets HVM_PARAM_CALLBACK_IRQ, and I *think* that should work in all implementations of the Xen ABI (including QEMU/KVM and EC2). But would want to test. But perhaps it wouldn't hurt for maximal compatibility for Linux to set the hypercall page *anyway*, even if Linux doesn't then use it — or only uses it during early boot?

Attachment: smime.p7s
Description: S/MIME cryptographic signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.