diff options
author | Alexey Shvetsov <alexxy@gentoo.org> | 2011-09-21 11:14:59 +0000 |
---|---|---|
committer | Alexey Shvetsov <alexxy@gentoo.org> | 2011-09-21 11:14:59 +0000 |
commit | 53dc79db026b886b70d9998d30165ec40ccf6014 (patch) | |
tree | 2a9c1a73de17f202bf11694f21e3cb0544085b34 /app-emulation | |
parent | Fix underlink. Bug #379489 (diff) | |
download | historical-53dc79db026b886b70d9998d30165ec40ccf6014.tar.gz historical-53dc79db026b886b70d9998d30165ec40ccf6014.tar.bz2 historical-53dc79db026b886b70d9998d30165ec40ccf6014.zip |
[app-emulation/xen] Security patch from xen-4 backported for xen-3 by Ian Delaney aka idell4
Package-Manager: portage-2.2.0_alpha59/cvs/Linux x86_64
Diffstat (limited to 'app-emulation')
-rw-r--r-- | app-emulation/xen/ChangeLog | 8 | ||||
-rw-r--r-- | app-emulation/xen/Manifest | 30 | ||||
-rw-r--r-- | app-emulation/xen/files/xen-3.4.2-no-DMA.patch | 71 | ||||
-rw-r--r-- | app-emulation/xen/xen-3.4.2-r2.ebuild | 111 |
4 files changed, 205 insertions, 15 deletions
diff --git a/app-emulation/xen/ChangeLog b/app-emulation/xen/ChangeLog index 19bfacd00d43..26fd5bfb6af7 100644 --- a/app-emulation/xen/ChangeLog +++ b/app-emulation/xen/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for app-emulation/xen # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.80 2011/09/18 12:15:08 alexxy Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/ChangeLog,v 1.81 2011/09/21 11:14:59 alexxy Exp $ + +*xen-3.4.2-r2 (21 Sep 2011) + + 21 Sep 2011; Alexey Shvetsov <alexxy@gentoo.org> +xen-3.4.2-r2.ebuild, + +files/xen-3.4.2-no-DMA.patch: + Security patch from xen-4 backported for xen-3 by Ian Delaney aka idell4 *xen-4.1.1-r2 (18 Sep 2011) diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest index ef2e3367e8cf..06fa65255787 100644 --- a/app-emulation/xen/Manifest +++ b/app-emulation/xen/Manifest @@ -3,28 +3,30 @@ Hash: SHA256 AUX xen-3.3.0-unexported-target-fix.patch 788 RMD160 4b30444c021479cbd3969493639533fc1e43e781 SHA1 9119f06b4a005c385ac27e085e2d96ccf9cd4dc9 SHA256 e46f5fbe4c579b84f895f0ac6e05589553a11305ca30e69405082d58abd9ee07 AUX xen-3.4.2-dump_registers-watchdog-fix.patch 533 RMD160 766249003d91cbec3b0014a8446e1a4d01cd847a SHA1 6306250671976c638f814a4958211af4bacb53b4 SHA256 17d18f268efd302085bdfa0673e2d9478e84206b6d060d0a63854441233a81c6 +AUX xen-3.4.2-no-DMA.patch 2708 RMD160 9aa83e21e8b07feca1f799f9efb4f9cd5728c6c6 SHA1 e55fa5a04203470af68452762f919b402854fce9 SHA256 87a3fe134b8d3c762d4d229986ccb77898a603a18974f453cfdf6ba9d68fe982 AUX xen-4.1.1-iommu_sec_fix.patch 2851 RMD160 4367178c10cdc1e752f3e9ffb70f42e6e7179242 SHA1 8487f85dbf81bf245deaccca5ff5b8f46e60d112 SHA256 3a0ab3cb5c18db91f4be457cbba36189a558da7b794e1a35795f4fed3d48a7c8 DIST xen-3.4.2.tar.gz 11187726 RMD160 2ef81df1f44356d60e04e21df2173ce5357d8509 SHA1 3cd2cafacd52bbac2e2da1cfd846ee6260b43455 SHA256 d17c33136041cc8da69214ccf527fc48637bee7a9ab4d68a88ec50e6a9d20b0b DIST xen-4.1.1.tar.gz 10355625 RMD160 4b3c0641b0f098889f627662aa6b8fea00c5b636 SHA1 f1b5ef4b663c339faf9c77fc895327cfbcc9776c SHA256 246289227507466b5da8b2d0da84a5b0e68a392527b16cde38898d0348890f5b EBUILD xen-3.4.2-r1.ebuild 3058 RMD160 19a8baa3dbf87f4c5d4e5019f88ae4dc5ccc32e6 SHA1 aed8b48c47b8f713dbc17d67fa2d21c838f7f071 SHA256 719917cfbf0605d4951415d9f53c49262d92ba8e8921a3835aefcd549dd275bb +EBUILD xen-3.4.2-r2.ebuild 3134 RMD160 ece90071fa1eade372d7ec8c39d21ebcae407a19 SHA1 c7d70437fd36305200602eda3c41f42b6bd76e61 SHA256 8a16d8ee07c79f5f8bf0ceb584e717b25770aeff14c645c4abd73ef586db2901 EBUILD xen-4.1.1-r2.ebuild 3012 RMD160 7055789a3d10a477921485e1fd3a1500bca317a5 SHA1 7eab29e0157f06c46c530329b8acb4db53c3c061 SHA256 40fbd9ea0a51c0e72c7b53e5cbb85cdf9157687a1fdb3c6b34e29ad972b0c387 EBUILD xen-9999.ebuild 2929 RMD160 34b61aa566948357bed2bde59d06e38fdc21249c SHA1 5dfa8cebff2f2b9a10e40b888e151baf8afb804c SHA256 62f131e504a87ab2e05b1109325167ae9f6d9747ae90d89536d49734c7445f0e -MISC ChangeLog 12833 RMD160 446a1d8cdd825f12e62b6119f3effea7a35513d6 SHA1 17f7c82dfea94d0fbce0abee46dbd35a4b317406 SHA256 ce714638aa70a3180c06ad02bdce7e3b0814c43ebabe55411e2a5fe9a768edf4 +MISC ChangeLog 13044 RMD160 414249645a0e0095178820063c0baa3cb36d00a0 SHA1 7315826966a1861803a774e10ec55d5add8bbb3c SHA256 4f8456682b58e74d352cb0eb87fbe32fbf640202e76f757ee67a88439cad6f1a MISC metadata.xml 581 RMD160 d22ffb491d9dad33425b97add683dd6b8b9139e1 SHA1 649f65e9fd2ab25e32394c555a24fc0f6b59c37f SHA256 1cf2cc4bb5b5278ac75e74910607518ddd2bd6454f18325319ce1ac102fab535 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) -iQIcBAEBCAAGBQJOdeCdAAoJEOf+E+/4L5LmBGoP+gJzjte0I5pC0xd8qFwwe+UF -SYOfe/pno7kmKM6cPCmLrISVxdpuAEngzndg7KMparoEW+7aon1k6MO69Mqd/aX/ -2s1gNyAhVrZLqJDESoslQPtSiN1g6EiM3PEBDgbrAEQFL5I74OH7cIctJ4yoVMkc -9tDfIvS3M6mY0/ScaqlO9KDMMaotaKHPaPG07libIYdVzAx0B7GlaoK+52rOZnl+ -r6y+xJllwNh/ebdRm3RNTLQsYVrD9EgBDNjX9Of/Ct+Be1dtrAcp9LIArFWq4bZr -kTJbkGLI5+NIWOOJ/OwpT2jtugjRhH3WDmE2u7IqdWHjUf5KxSypgMzOyVaPF+0D -7jEMYlOoSucioTa72LAQg56ops0IRhuwIElWfV5fouDvJ/buRbrSrWv0LG1Y07fu -6SZTXAPrgubwpIpbfl2WrkbL6AXuJmLQV+4fjB9BzC71VeMMGlNV+I52jWbVr9BT -6NmMPL8b+9BA96KDuhxJp38wQtjde7ogDd04xnofmm+sjGt95pxjT83c3jIJO6Rp -IpScDZe5uugRUSnEkDoFOoD8Q2O/ApdSS0U4gIfdAEIROrnsBKgjDoVNvyn3fvf9 -BXO3Uuw6rOh8ESFgK5Iys++Ti151Y3PTpH8FP04NlhELD9P36OdG8944X/nL9p9w -86IpewGQSXzf3cXJz+p5 -=lrTB +iQIcBAEBCAAGBQJOecb8AAoJEOf+E+/4L5Lmk+IP+QE+4YDpbkvTYcav5tCYxAu0 +n7x5GEX29qO7UAq7OXgQhZVZuXB2rZ+nPI3u4v8d1odOhnX4EgdTkKm26doVzdOg +p+uINP/Vtbw29cGomO3vaHzEYZkKXyVfovDtv1Csqzj+jjr4fIzy/tiG0Fxn4cjY +e72hprADqsAKq/u8tlfL4lp58zX71JLgXAESutGQBexqwUN8T4efpKV6qYRthuwF +MVMFXjpZI7nKeZTlIQYHSNTgPTlMKsoZoUycCoMtsFWerCwuymDeS7lKr0KEf2mb +luQV1C3LR+f9O1Ikmv+a23b309WQgyZp1sr4ydchBDwiSxytB9myAUU15xbLAHeS +ZlZl/up8BM7eXqWH46Q+wRqYPe9hW5NUIQvMXiJPz0nSSfQ3W+QWSxrRbxK5CJP9 +8QymoE26SPO86K5S8OtJrk255FV/SwRGLVE9l1/j+V8XaMugiGayRNkaU4bftKyT +LuaJH0YId8acIH1fYIiBUmKPTTYIkiGJlhr+mLocATxcFBVi/Svu9ew7ryc0c7gl +4e3NE58ZJXQQfokrspJimVPjksHLPRkiXXI9tvWA+V50jg7rsg1WMO1vUovWKmID +aEXdACW4jGAaZ4T0qk8k+pUiYuRcg6xRaae5BYG8iqVJ8aVAOA8LUcmyIo21sSCu +GtBx8gJ0rfZIRvWRhQ+c +=1IgY -----END PGP SIGNATURE----- diff --git a/app-emulation/xen/files/xen-3.4.2-no-DMA.patch b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch new file mode 100644 index 000000000000..f04d9e26f9b2 --- /dev/null +++ b/app-emulation/xen/files/xen-3.4.2-no-DMA.patch @@ -0,0 +1,71 @@ +# HG changeset patch +# User Tim Deegan <Tim.Deegan@citrix.com> +# Date 1313145221 -3600 +# Node ID 84e3706df07a1963e23cd3875d8603917657d462 +# Parent cb22fa57ff252893b6adb1481e09b1287eacd990 +Passthrough: disable bus-mastering on any card that causes an IOMMU fault. + +This stops the card from raising back-to-back faults and live-locking +the CPU that handles them. + +Signed-off-by: Tim Deegan <tim@xen.org> +Acked-by: Wei Wang2 <wei.wang2@amd.com> +Acked-by: Allen M Kay <allen.m.kay@intel.com> + +--- a/xen/drivers/passthrough/vtd/iommu.c.orig Mon Jul 25 16:48:39 2011 +0100 ++++ b/xen/drivers/passthrough/vtd/iommu.c Fri Aug 12 11:33:41 2011 +0100 +@@ -733,7 +733,7 @@ + while (1) + { + u8 fault_reason; +- u16 source_id; ++ u16 source_id, cword; + u32 data; + u64 guest_addr; + int type; +@@ -766,6 +766,14 @@ + iommu_page_fault_do_one(iommu, type, fault_reason, + source_id, guest_addr); + ++ /* Tell the device to stop DMAing; we can't rely on the guest to ++ * control it for us. */ ++ cword = pci_conf_read16(PCI_BUS(source_id), PCI_SLOT(source_id), ++ PCI_FUNC(source_id), PCI_COMMAND); ++ pci_conf_write16(PCI_BUS(source_id), PCI_SLOT(source_id), ++ PCI_FUNC(source_id), PCI_COMMAND, ++ cword & ~PCI_COMMAND_MASTER); ++ + fault_index++; + if ( fault_index > cap_num_fault_regs(iommu->cap) ) + fault_index = 0; + +--- a/xen/drivers/passthrough/amd/iommu_init.c.orig Mon Jul 25 16:48:39 2011 +0100 ++++ b/xen/drivers/passthrough/amd/iommu_init.c Fri Aug 12 11:33:41 2011 +0100 +@@ -415,7 +415,7 @@ + + static void parse_event_log_entry(u32 entry[]) + { +- u16 domain_id, device_id; ++ u16 domain_id, device_id, bdf, cword; + u32 code; + u64 *addr; + char * event_str[] = {"ILLEGAL_DEV_TABLE_ENTRY", +@@ -449,6 +449,18 @@ + printk(XENLOG_ERR "AMD-Vi: " + "%s: domain = %d, device id = 0x%04x, fault address = 0x%"PRIx64"\n", + event_str[code-1], domain_id, device_id, *addr); ++ ++ /* Tell the device to stop DMAing; we can't rely on the guest to ++ * control it for us. */ ++ for ( bdf = 0; bdf < ivrs_bdf_entries; bdf++ ) ++ if ( get_dma_requestor_id(bdf) == device_id ) ++ { ++ cword = pci_conf_read16(PCI_BUS(bdf), PCI_SLOT(bdf), ++ PCI_FUNC(bdf), PCI_COMMAND); ++ pci_conf_write16(PCI_BUS(bdf), PCI_SLOT(bdf), ++ PCI_FUNC(bdf), PCI_COMMAND, ++ cword & ~PCI_COMMAND_MASTER); ++ } + } + } + diff --git a/app-emulation/xen/xen-3.4.2-r2.ebuild b/app-emulation/xen/xen-3.4.2-r2.ebuild new file mode 100644 index 000000000000..c170f73ec782 --- /dev/null +++ b/app-emulation/xen/xen-3.4.2-r2.ebuild @@ -0,0 +1,111 @@ +# Copyright 1999-2011 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-emulation/xen/xen-3.4.2-r2.ebuild,v 1.1 2011/09/21 11:14:59 alexxy Exp $ + +inherit mount-boot flag-o-matic toolchain-funcs + +DESCRIPTION="The Xen virtual machine monitor" +HOMEPAGE="http://xen.org/" +SRC_URI="http://bits.xensource.com/oss-xen/release/${PV}/xen-${PV}.tar.gz" + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~x86" +IUSE="debug custom-cflags pae acm flask xsm" + +RDEPEND="|| ( sys-boot/grub + sys-boot/grub-static ) + >=sys-kernel/xen-sources-2.6.18" +PDEPEND="~app-emulation/xen-tools-${PV}" + +RESTRICT="test" + +# Approved by QA team in bug #144032 +QA_WX_LOAD="boot/xen-syms-${PV}" + +pkg_setup() { + if [[ -z ${XEN_TARGET_ARCH} ]]; then + if use x86 && use amd64; then + die "Confusion! Both x86 and amd64 are set in your use flags!" + elif use x86; then + export XEN_TARGET_ARCH="x86_32" + elif use amd64; then + export XEN_TARGET_ARCH="x86_64" + else + die "Unsupported architecture!" + fi + fi + + if use xsm ; then + export "XSM_ENABLE=y" + use acm && export "ACM_SECURITY=y" + if use flask ; then + ! use acm && export "FLASK_ENABLE=y" + use acm && ewarn "Both acm and flask XSM specified, defaulting to acm." + fi + elif use acm || use flask ; then + ewarn "acm and flask require USE=xsm to be set, dropping use flags" + fi +} + +src_unpack() { + unpack ${A} + cd "${S}" + + # Fix unexport $target in xen-setup + epatch "${FILESDIR}/"${PN}-3.3.0-unexported-target-fix.patch + + # Fix crash in xen console + epatch "${FILESDIR}/"${P}-dump_registers-watchdog-fix.patch + + # Security patches + epatch "${FILESDIR}/"${P}-no-DMA.patch || die + + # if the user *really* wants to use their own custom-cflags, let them + if use custom-cflags; then + einfo "User wants their own CFLAGS - removing defaults" + # try and remove all the default custom-cflags + find "${S}" -name Makefile -o -name Rules.mk -o -name Config.mk -exec sed \ + -e 's/CFLAGS\(.*\)=\(.*\)-O3\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-march=i686\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-fomit-frame-pointer\(.*\)/CFLAGS\1=\2\3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-g3*\s\(.*\)/CFLAGS\1=\2 \3/' \ + -e 's/CFLAGS\(.*\)=\(.*\)-O2\(.*\)/CFLAGS\1=\2\3/' \ + -i {} \; + fi +} + +src_compile() { + local myopt + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + if use custom-cflags; then + filter-flags -fPIE -fstack-protector + replace-flags -O3 -O2 + else + unset CFLAGS + fi + + # Send raw LDFLAGS so that --as-needed works + emake CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" -C xen ${myopt} || die "compile failed" +} + +src_install() { + local myopt + use debug && myopt="${myopt} debug=y" + use pae && myopt="${myopt} pae=y" + + emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install || die "install failed" +} + +pkg_postinst() { + elog "Official Xen Guide and the unoffical wiki page:" + elog " http://www.gentoo.org/doc/en/xen-guide.xml" + elog " http://en.gentoo-wiki.com/wiki/Xen/" + + if use pae; then + echo + ewarn "This is a PAE build of Xen. It will *only* boot PAE kernels!" + fi +} |