diff options
author | Sam Mulvey | 2021-08-28 00:23:37 -0700 |
---|---|---|
committer | Sam Mulvey | 2021-08-28 00:23:37 -0700 |
commit | 65a0813ca2d805c971cc2d328babf066175c13f5 (patch) | |
tree | e2949fc1a6ef3816132e21a696428eec962db129 | |
parent | 4e5d5518d1b21850862dd3fe4c0adf436e99afbc (diff) | |
download | aur-65a0813ca2d805c971cc2d328babf066175c13f5.tar.gz |
4.15.0-3, adds EFI fixes, gcc11 fixes, and XSA patch
-rw-r--r-- | .SRCINFO | 26 | ||||
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | PKGBUILD | 64 | ||||
-rw-r--r-- | aur-xsa379.patch | 57 | ||||
-rw-r--r-- | gcc-11.patch | 69 |
5 files changed, 199 insertions, 23 deletions
@@ -1,7 +1,7 @@ pkgbase = xen pkgdesc = Open-source type-1 or baremetal hypervisor pkgver = 4.15.0 - pkgrel = 1 + pkgrel = 3 url = https://xenproject.org/ arch = x86_64 license = GPL2 @@ -25,6 +25,8 @@ pkgbase = xen makedepends = lzo makedepends = pciutils makedepends = sdl2 + makedepends = systemd-libs + makedepends = systemd makedepends = wget makedepends = pandoc makedepends = valgrind @@ -37,6 +39,11 @@ pkgbase = xen makedepends = pixman makedepends = ocaml makedepends = fig2dev + noextract = aur-xsa379.patch + noextract = xsa380-1.patch + noextract = xsa380-2.patch + noextract = xsa382.patch + noextract = xsa383.patch options = !buildflags source = https://downloads.xenproject.org/release/xen/4.15.0/xen-4.15.0.tar.gz source = https://downloads.xenproject.org/release/xen/4.15.0/xen-4.15.0.tar.gz.sig @@ -47,6 +54,12 @@ pkgbase = xen source = xen-intel-ucode.hook source = xen-amd-ucode.hook source = no-ld-no-pie.patch + source = gcc-11.patch + source = aur-xsa379.patch + source = https://xenbits.xen.org/xsa/xsa380/xsa380-1.patch + source = https://xenbits.xen.org/xsa/xsa380/xsa380-2.patch + source = https://xenbits.xen.org/xsa/xsa382.patch + source = https://xenbits.xen.org/xsa/xsa383.patch validpgpkeys = 23E3222C145F4475FA8060A783FE14C957E82BD9 sha512sums = 93683b8a97387ca5f003c635a11d163e61c87dbdc9a03081f9155fe87b49f1dfa74ce243fcd5e04dc009353a36e2375b786f1ebde828b5951a094cd64197b4c7 sha512sums = 7ca2894ece626a116e03f0e3e2ddf36c7cf26b1db0eef410bb93acae32897042b087f670a416b13c5df8f1c8bd9d848ad075f1ce8a651b3341ec20b56daf21ae @@ -57,6 +70,12 @@ pkgbase = xen sha512sums = 7a832de9b35f4b77ee80d33310b23886f4d48d1d42c3d6ef6f8e2b428bec7332a285336864b61cfa01d9a14c2023674015beb7527bd5849b069f2be88e6500cd sha512sums = 99921b94a29fa7988c7fb5c17da8e598e777c972d6cae8c8643c991e5ff911a25525345ea8913945313d5c49fecf9da8cc3b83d47ab03928341e917b304370a9 sha512sums = 72edbacdb2b3b4449448e1bf7a6b31b58234eed1abe010db6dcf4033158edf095b081bc6eb89cde3156432dd35c449e1954aeefb2c4bc785a5d3f93de7b0fa76 + sha512sums = 68d468b0a811bd8882992a605d16ab1e0e95dd5e4644bdcf1287ffb0db046dddcbdf740df7d7f32665cbb50088e9e4a7c7d69fbfbf42e460ebdc097caccdd7b2 + sha512sums = 03d1250ae52098bc7ba46ec3cfb5d7bd699a3c5c66dbd231dcc6776fb2d71b3c0f801fb3f1e6cdc102cf06b2b73b86734f61b0fc8ab2d88a54c2371eba31828a + sha512sums = 9c65e5860aa4cea90224ebf9340d314ba1cf4f687fb5ccc8489dbc3465a03a467411639c00e31b6090f09813e0102a94a833a47da4427b673369b9e4b977b4bd + sha512sums = 61a87c2baff2b84af14d53556c918a1ff4ca1a6189b05cd2fcf8a1366c5af5dc1dbf7168d8f79c821c0e6ee629d72145514087844f0469a5f96668171157b393 + sha512sums = 6c5e3388fcfb0dcae30d5f315bf95d263c82519d2cbf2a8a88d280b5b0b1c1ed4cce7a1a85fabbf57c785ad9dc23e8e5e4773c631c00e036aada604ff8e7fa03 + sha512sums = d5106df26e6c4512d88ea6748c403117a2b61cb40f6d6c08a76f160352b79f94dd67cbb3419a33f2c6cfc7bbd644baed0498e366a6bf00d8031df728a47f36ea pkgname = xen pkgdesc = Open-source type-1 or baremetal hypervisor @@ -81,6 +100,10 @@ pkgname = xen depends = lzo depends = pciutils depends = sdl2 + depends = pixman + depends = libseccomp + depends = libpng + depends = libjpeg-turbo optdepends = edk2-ovmf: UEFI support optdepends = seabios: SeaBIOS payload support optdepends = xen-docs: HTML documentation and man pages @@ -96,4 +119,3 @@ pkgname = xen pkgname = xen-docs pkgdesc = Xen hypervisor documentation and man pages arch = any - diff --git a/ChangeLog b/ChangeLog index 19762e696c3e..20f60dfca05c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2021-08-28 Sam Mulvey + * 4.15.0-3 + * EFI fixes + * continued GCC11 changes + * XSA: 379 380 382 383 + 2021-04-15 Sam Mulvey * 4.15.0-1 * stubdom build now defaults false @@ -5,6 +5,9 @@ # Build Options _build_stubdom=${build_stubdom:-false} _build_qemu=${build_qemu:-true} +_boot_dir=${boot_dir:-/boot} +_efi_dir=${efi_dir:-/boot} +_efi_mountpoint=${efi_mountpoint:-/boot} # Check http://xenbits.xen.org/xen-extfiles/ for updates _gmp=4.3.2 @@ -19,7 +22,7 @@ _zlib=1.2.3 pkgbase=xen pkgname=("xen" "xen-docs") pkgver=4.15.0 -pkgrel=1 +pkgrel=3 pkgdesc='Open-source type-1 or baremetal hypervisor' arch=('x86_64') url='https://xenproject.org/' @@ -30,10 +33,10 @@ options=(!buildflags) makedepends=( 'zlib' 'python' 'ncurses' 'openssl' 'libx11' 'libuuid.so' 'yajl' 'libaio' 'glib2' 'pkgconf' 'bridge-utils' 'iproute2' 'inetutils' 'acpica' 'lib32-glibc' 'gnutls' - 'vde2' 'lzo' 'pciutils' 'sdl2' + 'vde2' 'lzo' 'pciutils' 'sdl2' 'systemd-libs' ) # last line from namcap, these depends are the xen depends # Actual makedepends. -makedepends+=('wget' 'pandoc' 'valgrind' 'git' 'bin86' 'dev86' 'bison' 'gettext' 'flex' 'pixman' 'ocaml' 'fig2dev') +makedepends+=('systemd' 'wget' 'pandoc' 'valgrind' 'git' 'bin86' 'dev86' 'bison' 'gettext' 'flex' 'pixman' 'ocaml' 'fig2dev') _source=( "https://downloads.xenproject.org/release/xen/$pkgver/$pkgname-$pkgver.tar.gz"{,.sig} @@ -44,6 +47,7 @@ _source=( "xen-intel-ucode.hook" "xen-amd-ucode.hook" "no-ld-no-pie.patch" + "gcc-11.patch" ) validpgpkeys=('23E3222C145F4475FA8060A783FE14C957E82BD9') # Xen.org Xen tree code signing (signatures on the xen hypervisor and tools) <pgp@xen.org> @@ -52,6 +56,11 @@ validpgpkeys=('23E3222C145F4475FA8060A783FE14C957E82BD9') # Xen.org Xen tree cod # Follow the Xen securite mailing lists, and if a patch is applicable to our package # add the URL here. _patches=( + "aur-xsa379.patch" + "https://xenbits.xen.org/xsa/xsa380/xsa380-1.patch" + "https://xenbits.xen.org/xsa/xsa380/xsa380-2.patch" + "https://xenbits.xen.org/xsa/xsa382.patch" + "https://xenbits.xen.org/xsa/xsa383.patch" ) @@ -79,9 +88,16 @@ _sha512sums=( "7a832de9b35f4b77ee80d33310b23886f4d48d1d42c3d6ef6f8e2b428bec7332a285336864b61cfa01d9a14c2023674015beb7527bd5849b069f2be88e6500cd" # xen-intel-ucode.hook "99921b94a29fa7988c7fb5c17da8e598e777c972d6cae8c8643c991e5ff911a25525345ea8913945313d5c49fecf9da8cc3b83d47ab03928341e917b304370a9" # xen-amd-ucode.hook "72edbacdb2b3b4449448e1bf7a6b31b58234eed1abe010db6dcf4033158edf095b081bc6eb89cde3156432dd35c449e1954aeefb2c4bc785a5d3f93de7b0fa76" # no-ld-no-pie.patch + "68d468b0a811bd8882992a605d16ab1e0e95dd5e4644bdcf1287ffb0db046dddcbdf740df7d7f32665cbb50088e9e4a7c7d69fbfbf42e460ebdc097caccdd7b2" # gcc-11.patch ) + _patch_sums=( + "03d1250ae52098bc7ba46ec3cfb5d7bd699a3c5c66dbd231dcc6776fb2d71b3c0f801fb3f1e6cdc102cf06b2b73b86734f61b0fc8ab2d88a54c2371eba31828a" # aur-xsa379.patch + "9c65e5860aa4cea90224ebf9340d314ba1cf4f687fb5ccc8489dbc3465a03a467411639c00e31b6090f09813e0102a94a833a47da4427b673369b9e4b977b4bd" # xsa380-1.patch + "61a87c2baff2b84af14d53556c918a1ff4ca1a6189b05cd2fcf8a1366c5af5dc1dbf7168d8f79c821c0e6ee629d72145514087844f0469a5f96668171157b393" # xsa380-2.patch + "6c5e3388fcfb0dcae30d5f315bf95d263c82519d2cbf2a8a88d280b5b0b1c1ed4cce7a1a85fabbf57c785ad9dc23e8e5e4773c631c00e036aada604ff8e7fa03" # xsa382.patch + "d5106df26e6c4512d88ea6748c403117a2b61cb40f6d6c08a76f160352b79f94dd67cbb3419a33f2c6cfc7bbd644baed0498e366a6bf00d8031df728a47f36ea" # xsa383.patch ) @@ -96,8 +112,6 @@ _stub_sums=( "021b958fcd0d346c4ba761bcf0cc40f3522de6186cf5a0a6ea34a70504ce9622b1c2626fce40675bc8282cf5f5ade18473656abc38050f72f5d6480507a2106e" # zlib-1.2.3.tar.gz ) - - # Simplify things for makepkg source=( "${_source[@]}" "${_patches[@]}" ) sha512sums=( "${_sha512sums[@]}" "${_patch_sums[@]}" ) @@ -108,7 +122,7 @@ done -# stubdum handling +# stubdom handling if [ "${_build_stubdom}" == "true" ]; then source=("${source[@]}" "${_stubdom_source[@]}") sha512sums=("${sha512sums[@]}" "${_stub_sums[@]}") @@ -131,8 +145,12 @@ else _config_qemu="--with-system-qemu=/usr/bin/qemu-system-x86_64" fi - - +_common_make_flags=( + "BOOT_DIR=${_boot_dir}" + "EFI_DIR=${_efi_dir}" + "EFI_MOUNTPOINT=${_efi_mountpoint}" + 'XEN_VENDORVERSION=arch' +) # TODO: Setup users, dirs, etc. @@ -141,6 +159,7 @@ prepare() { cd "${pkgbase}-${pkgver}" patch -p1 < ../no-ld-no-pie.patch + patch -p1 < ../gcc-11.patch if [ "${_build_stubdom}" == "true" ]; then @@ -190,7 +209,7 @@ build() { --with-system-ovmf=/usr/share/ovmf/x64/OVMF.fd \ --with-system-seabios=/usr/share/qemu/bios-256k.bin - make XEN_VENDORVERSION=arch + make "${_common_make_flags[@]}" } package_xen() { @@ -200,6 +219,7 @@ package_xen() { 'zlib' 'python' 'ncurses' 'openssl' 'libx11' 'libuuid.so' 'yajl' 'libaio' 'glib2' 'pkgconf' 'bridge-utils' 'iproute2' 'inetutils' 'acpica' 'lib32-glibc' 'gnutls' 'vde2' 'lzo' 'pciutils' 'sdl2' + 'pixman' 'libseccomp' 'libpng' 'libjpeg-turbo' # inhereted depends because of build environment ) optdepends=( @@ -228,24 +248,26 @@ package_xen() { cd "${pkgbase}-${pkgver}" + make "${_common_make_flags[@]}" DESTDIR="$pkgdir" install - make DESTDIR="$pkgdir" install - - mv "$pkgdir"/usr/lib64/efi "$pkgdir"/usr/lib/efi - rm -rf "$pkgdir"{/var/run,/usr/lib64} - # This feels like The Arch Way, really. - find "${pkgdir}/usr/lib/efi" -type l -delete - mv "${pkgdir}/usr/lib/efi/xen-${pkgver}.efi" "${pkgdir}/usr/lib/efi/xen.efi" + rm -rf "$pkgdir"/var/run + # Symlinks to prior installed versions are not The Arch Way, leave only the bare EFI binary + (cd "${pkgdir}/${_efi_dir}" && mv "$(realpath xen.efi)" xen.efi) [ -d "$pkgdir"/etc/xen/scripts ] && backup+=($(find "$pkgdir"/etc/xen/scripts/ -type f | sed "s|^$pkgdir/||g")) mkdir -p "${pkgdir}/var/log/xen/console" - # Remove hypervisor symlinks. - find "${pkgdir}/boot" -type l -delete - # Continued: This feels like The Arch Way, really. - mv "${pkgdir}/boot/xen-${pkgver}.gz" "${pkgdir}/boot/xen.gz" + # Continued: Trim hypervisor symlinks. + (cd "${pkgdir}/${_boot_dir}" && mv "$(realpath xen.gz)" xen.gz) + + # Do all symlink removals after the directories have had the real + # binaries moved overtop any symlinks. Note that dependening on + # configuratation _efi_dir and _boot_dir may be the same directory, so + # don't clean any of them until they've all been processed. + find "${pkgdir}/${_efi_dir}" -type l -delete + find "${pkgdir}/${_boot_dir}" -type l -delete # Remove syms. find "${pkgdir}/usr/lib/debug" -type f \( -name '*-syms*' -or -name '*\.map' \) -delete @@ -279,5 +301,5 @@ package_xen-docs() { pkgdesc="Xen hypervisor documentation and man pages" arch=("any") cd "${pkgbase}-${pkgver}" - make DESTDIR="${pkgdir}" install-docs + make "${_common_make_flags[@]}" DESTDIR="$pkgdir" install-docs } diff --git a/aur-xsa379.patch b/aur-xsa379.patch new file mode 100644 index 000000000000..8adb3dab1b44 --- /dev/null +++ b/aur-xsa379.patch @@ -0,0 +1,57 @@ +diff -Naur orig.xen-4.15.0/xen/arch/x86/mm/p2m.c xen-4.15.0/xen/arch/x86/mm/p2m.c +--- orig.xen-4.15.0/xen/arch/x86/mm/p2m.c 2021-08-27 22:00:52.614860472 -0700 ++++ xen-4.15.0/xen/arch/x86/mm/p2m.c 2021-08-27 23:07:32.232928213 -0700 +@@ -2730,8 +2730,19 @@ + goto put_both; + } + +- /* Remove previously mapped page if it was present. */ ++ /* ++ * Note that we're (ab)using GFN locking (to really be locking of the ++ * entire P2M) here in (at least) two ways: Finer grained locking would ++ * expose lock order violations in the XENMAPSPACE_gmfn case (due to the ++ * earlier get_gfn_unshare() above). Plus at the very least for the grant ++ * table v2 status page case we need to guarantee that the same page can ++ * only appear at a single GFN. While this is a property we want in ++ * general, for pages which can subsequently be freed this imperative: ++ * Upon freeing we wouldn't be able to find other mappings in the P2M ++ * (unless we did a brute force search). ++ */ + prev_mfn = get_gfn(d, gfn_x(gpfn), &p2mt); ++ /* Remove previously mapped page if it was present. */ + if ( mfn_valid(prev_mfn) ) + { + if ( is_special_page(mfn_to_page(prev_mfn)) ) +@@ -2741,26 +2752,23 @@ + /* Normal domain memory is freed, to avoid leaking memory. */ + rc = guest_remove_page(d, gfn_x(gpfn)); + } +- /* In the XENMAPSPACE_gmfn case we still hold a ref on the old page. */ +- put_gfn(d, gfn_x(gpfn)); +- +- if ( rc ) +- goto put_both; + + /* Unmap from old location, if any. */ + old_gpfn = get_gpfn_from_mfn(mfn_x(mfn)); + ASSERT(!SHARED_M2P(old_gpfn)); + if ( space == XENMAPSPACE_gmfn && old_gpfn != gfn ) +- { + rc = -EXDEV; +- goto put_both; +- } +- if ( old_gpfn != INVALID_M2P_ENTRY ) ++ else if ( !rc && old_gpfn != INVALID_M2P_ENTRY ) + rc = guest_physmap_remove_page(d, _gfn(old_gpfn), mfn, PAGE_ORDER_4K); + + /* Map at new location. */ + if ( !rc ) ++ { + rc = guest_physmap_add_page(d, gpfn, mfn, PAGE_ORDER_4K); ++ } ++ ++ put_gfn(d, gfn_x(gpfn)); ++ + + put_both: + /* diff --git a/gcc-11.patch b/gcc-11.patch new file mode 100644 index 000000000000..7aa60600c192 --- /dev/null +++ b/gcc-11.patch @@ -0,0 +1,69 @@ +diff --git a/tools/libs/foreignmemory/linux.c b/tools/libs/foreignmemory/linux.c +index c1f35e2db7..71ba3beb57 100644 +--- a/tools/libs/foreignmemory/linux.c ++++ b/tools/libs/foreignmemory/linux.c +@@ -161,7 +161,7 @@ out: + void *osdep_xenforeignmemory_map(xenforeignmemory_handle *fmem, + uint32_t dom, void *addr, + int prot, int flags, size_t num, +- const xen_pfn_t arr[/*num*/], int err[/*num*/]) ++ const xen_pfn_t arr[num], int err[num]) + { + int fd = fmem->fd; + privcmd_mmapbatch_v2_t ioctlx; +diff --git a/tools/libs/foreignmemory/minios.c b/tools/libs/foreignmemory/minios.c +index 43341ca301..c3ddbc8872 100644 +--- a/tools/libs/foreignmemory/minios.c ++++ b/tools/libs/foreignmemory/minios.c +@@ -42,7 +42,7 @@ int osdep_xenforeignmemory_close(xenforeignmemory_handle *fmem) + void *osdep_xenforeignmemory_map(xenforeignmemory_handle *fmem, + uint32_t dom, void *addr, + int prot, int flags, size_t num, +- const xen_pfn_t arr[/*num*/], int err[/*num*/]) ++ const xen_pfn_t arr[num], int err[num]) + { + unsigned long pt_prot = 0; + if (prot & PROT_READ) +diff --git a/xen/arch/x86/tboot.c b/xen/arch/x86/tboot.c +index aadcce591f..774c123883 100644 +--- a/xen/arch/x86/tboot.c ++++ b/xen/arch/x86/tboot.c +@@ -92,7 +92,7 @@ static void __init tboot_copy_memory(unsigned char *va, uint32_t size, + + void __init tboot_probe(void) + { +- tboot_shared_t *tboot_shared; ++ tboot_shared_t * volatile tboot_shared; + + /* Look for valid page-aligned address for shared page. */ + if ( !opt_tboot_pa || (opt_tboot_pa & ~PAGE_MASK) ) +diff --git a/xen/arch/x86/x86_emulate/x86_emulate.c b/xen/arch/x86/x86_emulate/x86_emulate.c +index c25d88d0d8..ba104602be 100644 +--- a/xen/arch/x86/x86_emulate/x86_emulate.c ++++ b/xen/arch/x86/x86_emulate/x86_emulate.c +@@ -726,9 +726,9 @@ union vex { + #define copy_VEX(ptr, vex) ({ \ + if ( !mode_64bit() ) \ + (vex).reg |= 8; \ +- (ptr)[0 - PFX_BYTES] = ext < ext_8f08 ? 0xc4 : 0x8f; \ +- (ptr)[1 - PFX_BYTES] = (vex).raw[0]; \ +- (ptr)[2 - PFX_BYTES] = (vex).raw[1]; \ ++ ((volatile uint8_t *)ptr)[0 - PFX_BYTES] = ext < ext_8f08 ? 0xc4 : 0x8f; \ ++ ((volatile uint8_t *)ptr)[1 - PFX_BYTES] = (vex).raw[0]; \ ++ ((volatile uint8_t *)ptr)[2 - PFX_BYTES] = (vex).raw[1]; \ + container_of((ptr) + 1 - PFX_BYTES, typeof(vex), raw[0]); \ + }) + +diff --git a/xen/include/crypto/vmac.h b/xen/include/crypto/vmac.h +index 457f3f5dd6..ce61e7fb35 100644 +--- a/xen/include/crypto/vmac.h ++++ b/xen/include/crypto/vmac.h +@@ -142,7 +142,7 @@ extern "C" { + + #define vmac_update vhash_update + +-void vhash_update(unsigned char m[], ++void vhash_update(uint8_t *m, + unsigned int mbytes, + vmac_ctx_t *ctx); + |