Branch: refs/heads/master
Home: https://github.com/siemens/jailhouse
Commit: 9b7d0557abf32afc5bd02067c8bb04fdda984db0
https://github.com/siemens/jailhouse/commit/9b7d0557abf32afc5bd02067c8bb04fdda984db0
Author: Jan Kiszka <jan.kis...@siemens.com>
Date: 2018-08-15 (Wed, 15 Aug 2018)
Changed paths:
M hypervisor/arch/x86/include/asm/paging.h
M hypervisor/arch/x86/paging.c
Log Message:
-----------
x86: Harden non-present mappings against L1TF
Foreshadow(-NG) has been published, and while we are already pretty well
hardened by avoiding to share cores and by hiding sensitive data of
remote cells when running in hypervisor mode, we can and probably should
do better: I key aspect of CVE-2018-3620 and CVE-2018-3646 is that Intel
CPUs ignore the present bit when speculatively using PTEs. Therefore, a
simple and practically cost-free mitigation is to ensure that
non-present page table entries point to non-present physical addresses.
We can easily achieve that by folding invalid address bits into
PAGE_NONPRESENT_FLAGS.
This change primarily affects the hiding of the per-CPU mappings in the
hypervisor address space after setup. However, we also modify the
clear_entry callback to do the same, although there is currently no case
in the hypervisor address space where we hide sensitive data via
paging_destroy - better safe than sorry /wrt potential future changes.
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
Commit: ff306a07de7059d9ef37155f984687639ed817c3
https://github.com/siemens/jailhouse/commit/ff306a07de7059d9ef37155f984687639ed817c3
Author: Ralf Ramsauer <ralf.ramsa...@oth-regensburg.de>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M hypervisor/arch/arm-common/control.c
M hypervisor/arch/arm-common/include/asm/control.h
M hypervisor/arch/x86/apic.c
M hypervisor/arch/x86/control.c
M hypervisor/arch/x86/include/asm/control.h
Log Message:
-----------
core: introduce arch_send_event
Prepares consolidation of arch_cpu_resume/suspend. With this, we have
the same path on all architectures for suspending CPUs. This allows us
to consolidate code in the next step.
Signed-off-by: Ralf Ramsauer <ralf.ramsa...@oth-regensburg.de>
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
Commit: 1dbfecb2bf427872938b3b2530a6d20f4669b630
https://github.com/siemens/jailhouse/commit/1dbfecb2bf427872938b3b2530a6d20f4669b630
Author: Ralf Ramsauer <ralf.ramsa...@oth-regensburg.de>
Date: 2018-08-17 (Fri, 17 Aug 2018)
Changed paths:
M Documentation/articles/LWN.net-article-01-2014.txt
M hypervisor/arch/arm-common/control.c
M hypervisor/arch/x86/control.c
M hypervisor/control.c
M hypervisor/include/jailhouse/control.h
Log Message:
-----------
core: consolidate arch_resume_cpu / arch_resume_cpu
No need to duplicate code, we now have the same path on all
architectures.
Additionally, suspend_cpu() is only called in hypervisor/control.c.
Restrict its visibility and make it static.
Signed-off-by: Ralf Ramsauer <ralf.ramsa...@oth-regensburg.de>
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
Commit: ac6d37f5077b0c1534ef0780a37e0bf07b81fb61
https://github.com/siemens/jailhouse/commit/ac6d37f5077b0c1534ef0780a37e0bf07b81fb61
Author: Jan Kiszka <jan.kis...@siemens.com>
Date: 2018-08-18 (Sat, 18 Aug 2018)
Changed paths:
M Makefile
Log Message:
-----------
pyjailhouse: Avoid parallel installation
pip dislikes to run in parallel to kbuild because it can get confused by
temporary artifacts the latter generates:
[...]
make[1]: Entering directory '/home/builder/jailhouse/git'
install -d -m 755 /home/builder/jailhouse/git/debian/jailhouse/lib/firmware
install -d -m 755
/home/builder/jailhouse/git/debian/jailhouse/usr/libexec/jailhouse
python -m pip install --upgrade --force-reinstall
--root=/home/builder/jailhouse/git/debian/jailhouse .
install -m 644 inmates/tools/x86/*.bin
/home/builder/jailhouse/git/debian/jailhouse/usr/libexec/jailhouse
Processing /home/builder/jailhouse/git
CHK /home/builder/jailhouse/git/hypervisor/include/generated/config.mk
CHK /home/builder/jailhouse/git/hypervisor/include/generated/version.h
Exception:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/pip/basecommand.py", line 215, in main
status = self.run(options, args)
File "/usr/lib/python2.7/dist-packages/pip/commands/install.py", line 353, in
run
wb.build(autobuilding=True)
File "/usr/lib/python2.7/dist-packages/pip/wheel.py", line 749, in build
self.requirement_set.prepare_files(self.finder)
File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 380, in
prepare_files
ignore_dependencies=self.ignore_dependencies))
File "/usr/lib/python2.7/dist-packages/pip/req/req_set.py", line 620, in
_prepare_file
session=self.session, hashes=hashes)
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 809, in
unpack_url
unpack_file_url(link, location, download_dir, hashes=hashes)
File "/usr/lib/python2.7/dist-packages/pip/download.py", line 686, in
unpack_file_url
shutil.copytree(link_path, location, symlinks=True)
File "/usr/lib/python2.7/shutil.py", line 208, in copytree
raise Error, errors
Error: [('/home/builder/jailhouse/git/.3844.tmp',
'/tmp/pip-SJsW0O-build/.3844.tmp', "[Errno 2] No such file or directory:
'/home/builder/jailhouse/git/.3844.tmp'")]
Makefile:57: recipe for target 'pyjailhouse_install' failed
[...]
Avoid that situation by running pip after all other installation steps.
Signed-off-by: Jan Kiszka <jan.kis...@siemens.com>
Compare:
https://github.com/siemens/jailhouse/compare/c20fe81d74a7...ac6d37f5077b
**NOTE:** This service has been marked for deprecation:
https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
--
You received this message because you are subscribed to the Google Groups
"Jailhouse" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jailhouse-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
