xen-devel.lists.xenproject.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v2] SUPPORT.md: Un-shimmed 32-bit PV guests are no longer supported
@ 2021-05-06 12:47 George Dunlap
  2021-05-06 13:09 ` Jan Beulich
                   ` (3 more replies)
  0 siblings, 4 replies; 7+ messages in thread
From: George Dunlap @ 2021-05-06 12:47 UTC (permalink / raw)
  To: security; +Cc: xen-devel, George Dunlap, Jann Horn, Jan Beulich

The support status of 32-bit guests doesn't seem particularly useful.

With it changed to fully unsupported outside of PV-shim, adjust the PV32
Kconfig default accordingly.

Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: George Dunlap <george.dunlap@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
---
v2:
 - add in Kconfig from advisory, ported over c/s d23d792478d
---
 SUPPORT.md           | 9 +--------
 xen/arch/x86/Kconfig | 7 +++++--
 2 files changed, 6 insertions(+), 10 deletions(-)

diff --git a/SUPPORT.md b/SUPPORT.md
index d0d4fc6f4f..a29680e04c 100644
--- a/SUPPORT.md
+++ b/SUPPORT.md
@@ -86,14 +86,7 @@ No hardware requirements
 
     Status, x86_64: Supported
     Status, x86_32, shim: Supported
-    Status, x86_32, without shim: Supported, with caveats
-
-Due to architectural limitations,
-32-bit PV guests must be assumed to be able to read arbitrary host memory
-using speculative execution attacks.
-Advisories will continue to be issued
-for new vulnerabilities related to un-shimmed 32-bit PV guests
-enabling denial-of-service attacks or privilege escalation attacks.
+    Status, x86_32, without shim: Supported, not security supported
 
 ### x86/HVM
 
diff --git a/xen/arch/x86/Kconfig b/xen/arch/x86/Kconfig
index e55e029b79..9b164db641 100644
--- a/xen/arch/x86/Kconfig
+++ b/xen/arch/x86/Kconfig
@@ -55,7 +55,7 @@ config PV
 config PV32
 	bool "Support for 32bit PV guests"
 	depends on PV
-	default y
+	default PV_SHIM
 	select COMPAT
 	---help---
 	  The 32bit PV ABI uses Ring1, an area of the x86 architecture which
@@ -67,7 +67,10 @@ config PV32
 	  reduction, or performance reasons.  Backwards compatibility can be
 	  provided via the PV Shim mechanism.
 
-	  If unsure, say Y.
+	  Note that outside of PV Shim, 32-bit PV guests are not security
+	  supported anymore.
+
+	  If unsure, use the default setting.
 
 config PV_LINEAR_PT
        bool "Support for PV linear pagetables"
-- 
2.30.2



^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2021-06-07  9:18 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-06 12:47 [PATCH v2] SUPPORT.md: Un-shimmed 32-bit PV guests are no longer supported George Dunlap
2021-05-06 13:09 ` Jan Beulich
2021-05-06 14:32   ` Andrew Cooper
2021-05-07 10:26 ` Roger Pau Monné
2021-05-07 11:05   ` Jan Beulich
2021-06-04 13:14 ` George Dunlap
2021-06-07  9:18 ` Jan Beulich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).