Xen Project 4.10 Series


Xen Project 4.10.0

Release Information

The Xen Project 4.10 release incorporates many new features and improvements to existing features.


For Xen Project 4.10 documentation see

Contribution Acknowledgements

For a breakdown of contributions to Xen 4.10 check out the Xen Project 4.10 Acknowledgements.

Xen Project 4.10.1

We are pleased to announce the release of Xen 4.10.1. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.10 (tag RELEASE-4.10.1) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 99e50001be: update Xen version to 4.10.1 [Jan Beulich]
  • c30ab3d97c: SUPPORT.md: Add missing support lifetime information [Ian Jackson]
  • 5f6000a985: adapt SUPPORT.md to match 4.11 [Juergen Gross]
  • f9e1bddbc8: SUPPORT.md: Fix a typo [Ian Jackson]
  • 3614c7d949: SUPPORT.md: Document the new text ordering rule [Ian Jackson]
  • 6f8e8bae87: SUPPORT.md: Move descriptions up before Status info [Ian Jackson]
  • 2e02212848: docs/Makefile: Format SUPPORT.md into the toplevel [Ian Jackson]
  • 73c8c2c211: docs/Makefile: Introduce GENERATE_PANDOC_RULE_RAW [Ian Jackson]
  • c07d2195b0: docs/gen-html-index: Support documents at the toplevel [Ian Jackson]
  • 0609dd1c5e: docs/gen-html-index: Extract titles from HTML documents [Ian Jackson]
  • a3459c741e: SUPPORT.md: Syntax: Provide a title rather than a spurious empty section [Ian Jackson]
  • de3ccf0790: SUPPORT.md: Syntax: Fix a typo "States" [Ian Jackson]
  • f7a7eeac29: SUPPORT.md: Syntax: Fix some bullet lists [Ian Jackson]
  • cba8690ea8: x86: fix slow int80 path after XPTI additions [Jan Beulich]
  • d27de97cd1: libxl: Specify format of inserted cdrom [Anthony PERARD]
  • 656c14780c: x86/msr: Correct the emulation behaviour of MSR_PRED_CMD [Andrew Cooper]
  • 8d37ee1d10: x86/VT-x: Fix determination of EFER.LMA in vmcs_dump_vcpu() [Andrew Cooper]
  • 696b24dfe1: x86/HVM: suppress I/O completion for port output [Jan Beulich]
  • 41015e7945: x86/pv: Fix up erroneous segments for 32bit syscall entry [Andrew Cooper]
  • 4f12a18bc2: x86/XPTI: reduce .text.entry [Jan Beulich]
  • 649e617335: x86: log XPTI enabled status [Jan Beulich]
  • bd26592fdf: x86: disable XPTI when RDCL_NO [Jan Beulich]
  • afece29fe9: x86/pv: Fix the handing of writes to %dr7 [Andrew Cooper]
  • 2e34343fb2: xen/arm: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery [Julien Grall]
  • d9756ca980: xen/arm: vpsci: Rework the logic to start AArch32 vCPU in Thumb mode [Julien Grall]
  • e2ee191d3d: xen/arm: vpsci: Introduce and use PSCI_INVALID_ADDRESS [Julien Grall]
  • 2efc116c68: xen/arm: psci: Consolidate PSCI version print [Julien Grall]
  • 51742fbc08: xen/arm: vpsci: Remove parameter 'ver' from do_common_cpu [Julien Grall]
  • 4fcd9d14b1: xen/arm64: Kill PSCI_GET_VERSION as a variant-2 workaround [Julien Grall]
  • 1ef0574d3b: xen/arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support [Julien Grall]
  • ee109adca7: xen/arm: smccc: Implement SMCCC v1.1 inline primitive [Julien Grall]
  • b2682eddc2: xen/arm: psci: Detect SMCCC version [Julien Grall]
  • 9746779afb: xen/arm: smccc: Add macros SMCCC_VERSION, SMCCC_VERSION_{MINOR, MAJOR} [Julien Grall]
  • 1d99ad5b35: xen/arm64: Print a per-CPU message with the BP hardening method used [Julien Grall]
  • 9beb8a4461: xen/arm64: Implement a fast path for handling SMCCC_ARCH_WORKAROUND_1 [Julien Grall]
  • ef4b4d7ab0: xen/arm: Adapt smccc.h to be able to use it in assembly code [Julien Grall]
  • df71252060: xen/arm: vsmc: Implement SMCCC_ARCH_WORKAROUND_1 BP hardening support [Julien Grall]
  • 7f9ebebcec: xen/arm: vsmc: Implement SMCCC 1.1 [Julien Grall]
  • 4eb96e3eda: xen/arm: vpsci: Add support for PSCI 1.1 [Julien Grall]
  • 3087ba8278: xen/arm: psci: Rework the PSCI definitions [Julien Grall]
  • 76a6dddcf8: xen/arm: vpsci: Move PSCI function dispatching from vsmc.c to vpsci.c [Julien Grall]
  • 0f92968bcf: x86/vlapic: clear TMR bit upon acceptance of edge-triggered interrupt to IRR [Liran Alon]
  • 9e9185f661: SUPPORT.md: Specify support for various image formats [George Dunlap]
  • e87e798673: SUPPORT.md: Clarify that the PV keyboard protocol includes mouse support [George Dunlap]
  • 6131a2c0ed: cpufreq/ondemand: fix race while offlining CPU [Jan Beulich]
  • 47621a4ed1: x86: remove CR reads from exit-to-guest path [Jan Beulich]
  • 489cfbc1b9: x86: slightly reduce Meltdown band-aid overhead [Jan Beulich]
  • 860f470ba1: x86/xpti: don't map stack guard pages [Jan Beulich]
  • 8462c575d9: x86/xpti: Hide almost all of .text and all .data/.rodata/.bss mappings [Andrew Cooper]
  • cee48d83cb: x86: ignore guest microcode loading attempts [Jan Beulich]
  • 20db434e90: ocaml: fix arm build [Wei Liu]
  • 0d2f9c89f7: Merge branch 'merge-comet-staging-4.10-v1' into staging-4.10 [Wei Liu]
  • a1189f93ef: libxl/pvh: force PVH guests to use the xenstore shutdown [Roger Pau Monne]
  • c37114cbf8: x86/HVM: don't give the wrong impression of WRMSR succeeding [Jan Beulich]
  • 5ede9f9600: x86/PV: fix off-by-one in I/O bitmap limit check [Jan Beulich]
  • 7e0796d3fe: grant: Release domain lock on 'map' path in cache_flush [George Dunlap]
  • b9aa790d31: x86/pv: Avoid leaking other guests' MSR_TSC_AUX values into PV context [Andrew Cooper]
  • 4867afbc95: x86/nmi: start NMI watchdog on CPU0 after SMP bootstrap [Igor Druzhinin]
  • 3deb58f832: x86/srat: fix end calculation in nodes_cover_memory() [Jan Beulich]
  • 3376822f15: x86/hvm/dmop: only copy what is needed to/from the guest [Ross Lagerwall]
  • 37dd90787e: x86/entry: Use 32bit xors rater than 64bit xors for clearing GPRs [Andrew Cooper]
  • 296705818c: x86/emul: Fix the decoding of segment overrides in 64bit mode [Andrew Cooper]
  • 0857b09aae: x86/spec_ctrl: Fix several bugs in SPEC_CTRL_ENTRY_FROM_INTR_IST [Andrew Cooper]
  • 4195d40e31: x86/srat: fix the end pfn check in valid_numa_range() [Haozhong Zhang]
  • ab62fc3171: x86: reduce Meltdown band-aid IPI overhead [Jan Beulich]
  • 0e10f28586: x86/NMI: invert condition in nmi_show_execution_state() [Jan Beulich]
  • a05fc8e5be: x86/emul: Fix the emulation of invlpga [Andrew Cooper]
  • 083bd83354: ignores: update .hgignore [Roger Pau Monné]
  • b0e975c822: ignores: update list of git ignored files [Roger Pau Monné]
  • def29407de: firmware/shim: better filtering of intermediate files during Xen tree setup [Jan Beulich]
  • 8c3bbc7c2b: firmware/shim: better filtering of dependency files during Xen tree setup [Jan Beulich]
  • cee8bb62ff: build: remove shim related targets [Roger Pau Monné]
  • 08a941bdac: shim: allow building of just the shim with build-ID-incapable linker [Jan Beulich]
  • 7dc817b750: firmware/shim: avoid mkdir error during Xen tree setup [Jan Beulich]
  • 21080841ae: firmware/shim: correctly handle errors during Xen tree setup [Jan Beulich]
  • dc4a23b115: firmware/shim: update Makefile [Wei Liu]
  • da7543dd32: x86/shim: don't use 32-bit compare on boolean variable [Jan Beulich]
  • 9fd27db52a: xen/pvshim: fix GNTTABOP_query_size hypercall forwarding with SMAP [Roger Pau Monne]
  • 6d9b6bf418: Revert "x86/boot: Map more than the first 16MB" [Wei Liu]
  • 79f04299ca: x86: relocate pvh_info [Wei Liu]
  • 9ce99ad413: xen/shim: stash RSDP address for ACPI driver [Wei Liu]
  • 186c2f57bd: libxl: lower shim related message to level DEBUG [Wei Liu]
  • 357bf02e49: x86/shim: use credit scheduler [Wei Liu]
  • 81306edf86: x86/guest: clean up guest/xen.h [Wei Liu]
  • 14e1a434f4: libxl: remove whitespaces introduced in 62982da926 [Wei Liu]
  • b869742c99: xen/pvshim: switch shim.c to use typesafe mfn_to_page and virt_to_mfn [Roger Pau Monne]
  • d691e41793: xen/pvshim: fix coding style issues [Roger Pau Monne]
  • ee478f4737: xen/pvshim: re-order replace_va_mapping code [Roger Pau Monne]
  • f05a7c5148: xen/pvshim: identity pin shim vCPUs to pCPUs [Roger Pau Monne]
  • 7027acfc1f: tools: fix arm build after bdf693ee61b48 [Wei Liu]
  • bc513e82ed: Don't build xen-shim for 32 bit build host [Wei Liu]
  • af63193017: Revert "x86/guest: use the vcpu_info area from shared_info" [Wei Liu]
  • a44e83b712: x86/shim: commit shim.config changes for 4.10 branch [Wei Liu]
  • da3a46d017: Merge tag '4.10.0-shim-comet-3' into staging-4.10 [Wei Liu]
  • b6a6458b13: xen/arm: Flush TLBs before turning on the MMU to avoid stale entries [Julien Grall]
  • e3dfd5d1dd: xen/arm: vgic: Make sure the number of SPIs is a multiple of 32 [Julien Grall]
  • a6780c122b: x86/hvm: Disallow the creation of HVM domains without Local APIC emulation [Andrew Cooper]
  • 16edf98e95: gnttab: don't blindly free status pages upon version change [Jan Beulich]
  • e2ceb2ed66: gnttab/ARM: don't corrupt shared GFN array [Jan Beulich]
  • 1b1c059099: memory: don't implicitly unpin for decrease-reservation [Jan Beulich]
  • 5e91fc4d3b: xen/arm: cpuerrata: Actually check errata on non-boot CPUs [Julien Grall]
  • 3921128fcb: xen/arm: vsmc: Don't implement function IDs that don't exist [Julien Grall]
  • cd2e1436b1: xen/arm: vpsci: Removing dummy MIGRATE and MIGRATE_INFO_UP_CPU [Julien Grall]
  • 3181472a5c: x86/idle: Clear SPEC_CTRL while idle [Andrew Cooper]
  • 5644514050: x86/cpuid: Offer Indirect Branch Controls to guests [Andrew Cooper]
  • db12743f2d: x86/ctxt: Issue a speculation barrier between vcpu contexts [Andrew Cooper]
  • bc0e599a83: x86/boot: Calculate the most appropriate BTI mitigation to use [Andrew Cooper]
  • fc81946cea: x86/entry: Avoid using alternatives in NMI/#MC paths [Andrew Cooper]
  • ce7d7c0168: x86/entry: Organise the clobbering of the RSB/RAS on entry to Xen [Andrew Cooper]
  • a695f8dce7: x86/entry: Organise the use of MSR_SPEC_CTRL at each entry/exit point [Andrew Cooper]
  • 92efbe8658: x86/hvm: Permit guests direct access to MSR_{SPEC_CTRL,PRED_CMD} [Andrew Cooper]
  • 8baba874d6: x86/migrate: Move MSR_SPEC_CTRL on migrate [Andrew Cooper]
  • 79891ef944: x86/msr: Emulation of MSR_{SPEC_CTRL,PRED_CMD} for guests [Andrew Cooper]
  • 641c11ef29: x86/cpuid: Handling of IBRS/IBPB, STIBP and IBRS for guests [Andrew Cooper]
  • 05eba93a0a: x86: fix GET_STACK_END [Wei Liu]
  • a69cfdf0c1: x86/acpi: process softirqs while printing CPU ACPI data [Roger Pau Monné]
  • 0f4be6e2c4: xen/x86: report domain id on cpuid [Roger Pau Monné]
  • 0a7e6b50e0: x86/svm: Offer CPUID Faulting to AMD HVM guests as well [Andrew Cooper]
  • 65ee6e043a: x86/cmdline: Introduce a command line option to disable IBRS/IBPB, STIBP and IBPB [Andrew Cooper]
  • 129880dd8f: x86/feature: Definitions for Indirect Branch Controls [Andrew Cooper]
  • c513244d8e: x86: Introduce alternative indirect thunks [Andrew Cooper]
  • 0e12c2c881: x86/amd: Try to set lfence as being Dispatch Serialising [Andrew Cooper]
  • 6aaf353f2e: x86/boot: Report details of speculative mitigations [Andrew Cooper]
  • 32babfc19a: x86: Support indirect thunks from assembly code [Andrew Cooper]
  • 47bbcb2dd1: x86: Support compiling with indirect branch thunks [Andrew Cooper]
  • 8743fc2ef7: common/wait: Clarifications to wait infrastructure [Andrew Cooper]
  • 1830b20b6b: x86/entry: Erase guest GPR state on entry to Xen [Andrew Cooper]
  • ab95cb0d94: x86/hvm: Use SAVE_ALL to construct the cpu_user_regs frame after VMExit [Andrew Cooper]
  • d02ef3d274: x86/entry: Rearrange RESTORE_ALL to restore register in stack order [Andrew Cooper]
  • e32f814160: x86: Introduce a common cpuid_policy_updated() [Andrew Cooper]
  • c534ab4e94: x86/hvm: Rename update_guest_vendor() callback to cpuid_policy_changed() [Andrew Cooper]
  • be3138b6f6: x86/alt: Introduce ALTERNATIVE{,_2} macros [Andrew Cooper]
  • 79012ead93: x86/alt: Break out alternative-asm into a separate header file [Andrew Cooper]
  • bbd093c503: xen/arm32: entry: Document the purpose of r11 in the traps handler [Julien Grall]
  • a69a8b5fdc: xen/arm32: Invalidate icache on guest exist for Cortex-A15 [Julien Grall]
  • f167ebf6b3: xen/arm32: Invalidate BTB on guest exit for Cortex A17 and 12 [Julien Grall]
  • c4c0187839: xen/arm32: Add skeleton to harden branch predictor aliasing attacks [Julien Grall]
  • 19ad8a7287: xen/arm32: entry: Add missing trap_reset entry [Julien Grall]
  • 3caf32c470: xen/arm32: Add missing MIDR values for Cortex-A17 and A12 [Julien Grall]
  • df7be94f26: xen/arm32: entry: Consolidate DEFINE_TRAP_ENTRY_* macros [Julien Grall]
  • f379b70609: SUPPORT.md: Fix version and Initial-Release [Ian Jackson]
  • 728fadb586: xen/arm: cpuerrata: Remove percpu.h include [Julien Grall]
  • 928112900e: xen/arm64: Implement branch predictor hardening for affected Cortex-A CPUs [Julien Grall]
  • cae6e1572f: xen/arm64: Add skeleton to harden the branch predictor aliasing attacks [Julien Grall]
  • d1f4283a1d: xen/arm: cpuerrata: Add MIDR_ALL_VERSIONS [Julien Grall]
  • 0f7a4faafb: xen/arm64: Add missing MIDR values for Cortex-A72, A73 and A75 [Julien Grall]
  • b829d42829: xen/arm: Introduce enable callback to enable a capabilities on each online CPU [Julien Grall]
  • fa23f2aaa2: xen/pvh: place the trampoline at page 0x1 [Roger Pau Monne]
  • 79f797c3f4: firmware/shim: fix build process to use POSIX find options [Roger Pau Monne]
  • 69f4d872e5: x86/guest: use the vcpu_info area from shared_info [Roger Pau Monne]
  • 7cccd6f748: x86: allow Meltdown band-aid to be disabled [Jan Beulich]
  • 234f481337: x86: Meltdown band-aid against malicious 64-bit PV guests [Jan Beulich]
  • 57dc197cf0: x86/mm: Always set _PAGE_ACCESSED on L4e updates [Andrew Cooper]
  • 7209b8bf08: x86: Don't use potentially incorrect CPUID values for topology information [Jan H. Schönherr]
  • 910dd005da: x86/entry: Remove support for partial cpu_user_regs frames [Andrew Cooper]
  • 50d24b9530: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • c89c622b89: x86/E820: don't overrun array [Jan Beulich]
  • 3b8d88d4fa: x86/IRQ: conditionally preserve access permission on map error paths [Jan Beulich]
  • 6f1979c8e4: -xen-attach is needed for pvh boot with qemu-xen [Michael Young]
  • 0a515eeb96: xen/pvshim: map vcpu_info earlier for APs [Roger Pau Monne]
  • 0e2d64ae8f: xl: pvshim: Provide and document xl config [Ian Jackson]
  • ab9e3854dd: libxl: pvshim: Introduce pvshim_extra [Ian Jackson]
  • abdde49edc: libxl: pvshim: Provide first-class config settings to enable shim mode [Ian Jackson]
  • 321ef983a0: xen/shim: allow DomU to have as many vcpus as available [Roger Pau Monne]
  • c9083de0ae: xen/shim: crash instead of reboot in shim mode [Roger Pau Monne]
  • b5be9c817d: xen/pvshim: use default position for the m2p mappings [Roger Pau Monne]
  • 9d60bc96be: xen/shim: modify shim_mem parameter behaviour [Roger Pau Monne]
  • 29dd3142bf: xen/pvshim: memory hotplug [Roger Pau Monne]
  • 5b6c3ffa1d: xen/pvshim: support vCPU hotplug [Roger Pau Monne]
  • 004646a1dd: xen/pvshim: set max_pages to the value of tot_pages [Roger Pau Monne]
  • 7dcc20e0c8: xen/pvshim: add shim_mem cmdline parameter [Sergey Dyasli]
  • 83c838c9f8: xen/pvshim: add migration support [Roger Pau Monne]
  • cc7d96b98c: x86/pv-shim: shadow PV console's page for L2 DomU [Sergey Dyasli]
  • 7f5eb7d04e: xen/pvshim: add grant table operations [Roger Pau Monne]
  • bbad376ab1: xen/pvshim: forward evtchn ops between L0 Xen and L2 DomU [Roger Pau Monne]
  • da4518c559: xen/pvshim: set correct domid value [Roger Pau Monne]
  • 1cd703979f: xen/pvshim: modify Dom0 builder in order to build a DomU [Roger Pau Monne]
  • 60dd95357c: xen: mark xenstore/console pages as RAM [Roger Pau Monne]
  • 0ba5d8c275: xen/pvshim: skip Dom0-only domain builder parts [Roger Pau Monne]
  • 4ba6447e7d: xen/pvh: do not mark the low 1MB as IO mem [Roger Pau Monne]
  • 2b8a95a296: xen/x86: make VGA support selectable [Roger Pau Monne]
  • cdb1fb4921: xen/arm: bootfdt: Use proper default for #address-cells and #size-cells [Julien Grall]
  • a40186478c: xen/arm: gic-v3: Bail out if gicv3_cpu_init fail [Julien Grall]
  • 3784256866: tools/firmware: Build and install xen-shim [Andrew Cooper]
  • b5ead1fad3: x86/shim: Kconfig and command line options [Andrew Cooper]
  • aa96a59dc2: x86/guest: use PV console for Xen/Dom0 I/O [Sergey Dyasli]
  • 7477359b9a: x86/guest: add PV console code [Sergey Dyasli]
  • cb5dc94ba7: x86/guest: setup event channel upcall vector [Roger Pau Monne]
  • 3b058a3eab: x86: don't swallow the first command line item in guest mode [Wei Liu]
  • 5a543c6f39: x86: read wallclock from Xen when running in pvh mode [Wei Liu]
  • 949eb11d58: x86: APIC timer calibration when running as a guest [Wei Liu]
  • f5ca36927e: x86: xen pv clock time source [Wei Liu]
  • 68e7a08436: x86/guest: map per-cpu vcpu_info area. [Roger Pau Monne]
  • d2df09c92b: xen/guest: fetch vCPU ID from Xen [Roger Pau Monne]
  • efa15c993b: x86/guest: map shared_info page [Roger Pau Monne]
  • 83186a8e69: xen/pvshim: keep track of used PFN ranges [Wei Liu]
  • 1fa5444834: xen: introduce rangeset_claim_range [Wei Liu]
  • 10128f33aa: xen/console: Introduce console=xen [Wei Liu]
  • 2f5a012143: x86/pvh: Retrieve memory map from Xen [Wei Liu]
  • 9752c7422b: x86/shutdown: Support for using SCHEDOP_{shutdown,reboot} [Andrew Cooper]
  • b38cc15b2f: x86/guest: Hypercall support [Andrew Cooper]
  • 3d1afab1f6: x86/entry: Probe for Xen early during boot [Andrew Cooper]
  • 31b664a93f: x86/boot: Map more than the first 16MB [Andrew Cooper]
  • db65173fe7: x86/entry: Early PVH boot code [Wei Liu]
  • 51f937a39b: x86: produce a binary that can be booted as PVH [Wei Liu]
  • 887c705600: x86: introduce ELFNOTE macro [Wei Liu]
  • f575701f3c: x86/link: Relocate program headers [Andrew Cooper]
  • af2f50b2b6: x86/Kconfig: Options for Xen and PVH support [Andrew Cooper]
  • b538a13a68: x86: Common cpuid faulting support [Andrew Cooper]
  • 57dc22b80d: x86/fixmap: Modify fix_to_virt() to return a void pointer [Andrew Cooper]
  • 48811d481c: tools/ocaml: Extend domain_create() to take arch_domainconfig [Jon Ludlam]
  • 78898c9d1b: tools/ocaml: Expose arch_config in domaininfo [Andrew Cooper]
  • e7c8187b91: xen/domctl: Return arch_config via getdomaininfo [Andrew Cooper]
  • 9e46ae12ed: ACPICA: Make ACPI Power Management Timer (PM Timer) optional. [Bob Moore]
  • ff1fb8fe53: x86/link: Introduce and use SECTION_ALIGN [Andrew Cooper]
  • 92a6295c30: x86/time: Print a more helpful error when a platform timer can't be found [Andrew Cooper]
  • 78e9cc3488: xen/common: Widen the guest logging buffer slightly [Andrew Cooper]
  • 667275050d: tools/libxc: Multi modules support [Jonathan Ludlam]
  • 4621c10f48: tools/libelf: fix elf notes check for PVH guest [Wei Liu]
  • 40938b5d56: tools/libxc: remove extraneous newline in xc_dom_load_acpi [Wei Liu]
  • 5840f40e88: xen/x86: report domain id on cpuid [Roger Pau Monne]
  • caff7f9b59: x86/svm: Offer CPUID Faulting to AMD HVM guests as well [Andrew Cooper]
  • 69e302e59c: x86/upcall: inject a spurious event after setting upcall vector [Roger Pau Monné]
  • a87ec4833a: x86/msr: Free msr_vcpu_policy during vcpu destruction [Andrew Cooper]
  • 9dc5eda576: x86/vmx: Don't use hvm_inject_hw_exception() in long_mode_do_msr_write() [Andrew Cooper]
  • 135b67e9bd: xen/efi: Fix build with clang-5.0 [Andrew Cooper]
  • 682a9d8d37: gnttab: improve GNTTABOP_cache_flush locking [Jan Beulich]
  • 19dcd8e47d: gnttab: correct GNTTABOP_cache_flush empty batch handling [Jan Beulich]
  • e5364c32c6: x86/microcode: Add support for fam17h microcode loading [Tom Lendacky]
  • e2dc7b584f: x86/mm: drop bogus paging mode assertion [Jan Beulich]
  • c8f4f45e04: x86/mb2: avoid Xen image when looking for module/crashkernel position [Daniel Kiper]
  • 4150501b71: x86/vvmx: don't enable vmcs shadowing for nested guests [Sergey Dyasli]
  • ab7be6ce4a: xen/pv: Construct d0v0's GDT properly [Andrew Cooper]
  • f3fb6673d8: update Xen version to 4.10.1-pre [Jan Beulich]

This release contains no fixes to qemu-traditional or qemu-upstream.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-252 Applied N/A N/A
XSA-253 Applied N/A N/A
XSA-254 Applied (XPTI for Variant 3) N/A N/A
XSA-255 Applied N/A N/A
XSA-256 Applied N/A N/A
XSA-257 Applied N/A N/A
XSA-258 Applied N/A N/A
XSA-259 Applied N/A N/A

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.10 stable series to update to this latest point release.

Xen Project 4.10.2

We are pleased to announce the release of Xen 4.10.2. This is available immediately from its git repository 

https://xenbits.xenproject.org/gitweb/?p=xen.git;a=shortlog;h=refs/heads/stable-4.10 (tag RELEASE-4.10.2) or from this download page

This release contains the following bug-fixes and improvements in the Xen Project hypervisor:

  • 0c1d5b68e2: update Xen version to 4.10.2 [Jan Beulich]
  • 4266e4c7d3: x86: assorted array_index_nospec() insertions [Jan Beulich]
  • 74a95386d4: VT-d/dmar: iommu mem leak fix [Zhenzhong Duan]
  • b75228ccc3: rangeset: make inquiry functions tolerate NULL inputs [Jan Beulich]
  • 24bc2e31b2: x86/setup: Avoid OoB E820 lookup when calculating the L1TF safe address [Andrew Cooper]
  • bd993a7b4e: x86/hvm/ioreq: MMIO range checking completely ignores direction flag [Paul Durrant]
  • e0a20e7c5c: x86/vlapic: Bugfixes and improvements to vlapic_{read,write}() [Andrew Cooper]
  • 713f3b1294: x86/vmx: Avoid hitting BUG_ON() after EPTP-related domain_crash() [Andrew Cooper]
  • 017f85220f: tools: prepend to PKG_CONFIG_PATH when configuring qemu [Stewart Hildebrand]
  • bf1b7f5b9b: libxl: start pvqemu when 9pfs is requested [Stefano Stabellini]
  • fe50b33b07: x86: write to correct variable in parse_pv_l1tf() [Jan Beulich]
  • 13e85a6dbc: xl.conf: Add global affinity masks [Wei Liu]
  • fac0731d75: x86: Make "spec-ctrl=no" a global disable of all mitigations [Jan Beulich]
  • ed933041a8: x86/spec-ctrl: Introduce an option to control L1D_FLUSH for HVM HAP guests [Andrew Cooper]
  • ef71d13e7f: x86/msr: Virtualise MSR_FLUSH_CMD for guests [Andrew Cooper]
  • 80dd3f52be: x86/spec-ctrl: CPUID/MSR definitions for L1D_FLUSH [Andrew Cooper]
  • c67a8b808a: x86/pv: Force a guest into shadow mode when it writes an L1TF-vulnerable PTE [Juergen Gross]
  • 85d133b90d: x86/mm: Plumbing to allow any PTE update to fail with -ERESTART [Andrew Cooper]
  • d46374d794: x86/shadow: Infrastructure to force a PV guest into shadow mode [Juergen Gross]
  • 614fd2558f: x86/spec-ctrl: Introduce an option to control L1TF mitigation for PV guests [Andrew Cooper]
  • 684fb8c7c4: x86/spec-ctrl: Calculate safe PTE addresses for L1TF mitigations [Andrew Cooper]
  • 56d5138060: tools/oxenstored: Make evaluation order explicit [Christian Lindig]
  • 924a5ee8c0: x86/vtx: Fix the checking for unknown/invalid MSR_DEBUGCTL bits [Andrew Cooper]
  • 5fd0bb322d: ARM: disable grant table v2 [Stefano Stabellini]
  • 9e7ee9478d: common/gnttab: Introduce command line feature controls [Andrew Cooper]
  • 0de39f36b7: VMX: fix vmx_{find,del}_msr() build [Jan Beulich]
  • 6504045842: x86/vmx: Support load-only guest MSR list entries [Andrew Cooper]
  • b4d669064f: x86/vmx: Pass an MSR value into vmx_msr_add() [Andrew Cooper]
  • 09b6924ec6: x86/vmx: Improvements to LBR MSR handling [Andrew Cooper]
  • 2450f34870: x86/vmx: Support remote access to the MSR lists [Andrew Cooper]
  • 227da39d8f: x86/vmx: Factor locate_msr_entry() out of vmx_find_msr() and vmx_add_msr() [Andrew Cooper]
  • 07a9be73c7: x86/vmx: Internal cleanup for MSR load/save infrastructure [Andrew Cooper]
  • dcca8f0234: x86/vmx: API improvements for MSR load/save infrastructure [Andrew Cooper]
  • 8af1a797de: x86/vmx: Defer vmx_vmcs_exit() as long as possible in construct_vmcs() [Andrew Cooper]
  • 93017a6b0d: x86/vmx: Fix handing of MSR_DEBUGCTL on VMExit [Andrew Cooper]
  • 6e57d28086: x86/spec-ctrl: Yet more fixes for xpti= parsing [Andrew Cooper]
  • 87c83af333: x86/spec-ctrl: Fix the parsing of xpti= on fixed Intel hardware [Andrew Cooper]
  • b07c76fece: x86/hvm: Disallow unknown MSR_EFER bits [Andrew Cooper]
  • 541a105ada: x86/xstate: Make errors in xstate calculations more obvious by crashing the domain [Andrew Cooper]
  • 6f6207fac5: x86/xstate: Use a guests CPUID policy, rather than allowing all features [Andrew Cooper]
  • 6feafd89d2: x86/vmx: Don't clobber %dr6 while debugging state is lazy [Andrew Cooper]
  • 01eb262d5e: x86: command line option to avoid use of secondary hyper-threads [Jan Beulich]
  • 512d3e7828: x86: possibly bring up all CPUs even if not all are supposed to be used [Jan Beulich]
  • 74f437f054: x86: distinguish CPU offlining from CPU removal [Jan Beulich]
  • 371149b69b: x86/AMD: distinguish compute units from hyper-threads [Jan Beulich]
  • 3607213d2c: cpupools: fix state when downing a CPU failed [Jan Beulich]
  • 714552510a: x86/svm Fixes and cleanup to svm_inject_event() [Andrew Cooper]
  • 498716e253: allow cpu_down() to be called earlier [Jan Beulich]
  • fab92fcf44: xen: oprofile/nmi_int.c: Drop unwanted sexual reference [Ian Jackson]
  • bc1289f1e7: mm/page_alloc: correct first_dirty calculations during block merging [Sergey Dyasli]
  • 4ccf3974c8: x86/spec-ctrl: command line handling adjustments [Jan Beulich]
  • 381fdae3f0: x86: correctly set nonlazy_xstate_used when loading full state [Jan Beulich]
  • d976fe5bf0: xen: Port the array_index_nospec() infrastructure from Linux [Andrew Cooper]
  • a645331a9f: x86/EFI: further correct FPU state handling around runtime calls [Jan Beulich]
  • c2202404d3: x86/HVM: attempts to emulate FPU insns need to set fpu_initialised [Jan Beulich]
  • 78a86a7c2a: x86/EFI: fix FPU state handling around runtime calls [Jan Beulich]
  • 6e0e45a963: x86/VT-x: Fix printing of EFER in vmcs_dump_vcpu() [Andrew Cooper]
  • b81a8bf199: x86/traps: Fix error handling of the pv %dr7 shadow state [Andrew Cooper]
  • de578bc4c3: x86/CPUID: don't override tool stack decision to hide STIBP [Jan Beulich]
  • 3bd7966eba: x86: correct default_xen_spec_ctrl calculation [Jan Beulich]
  • dd07d3e25c: libxc/x86/PV: don't hand through CPUID leaf 0x80000008 as is [Jan Beulich]
  • b5e9f1e674: x86: guard against #NM [Jan Beulich]
  • e0da0d9170: x86/HVM: don't cause #NM to be raised in Xen [Jan Beulich]
  • 23081587da: libxl: restore passing "readonly=" to qemu for SCSI disks [Ian Jackson]
  • b2444d2f81: libxl: qemu_disk_scsi_drive_string: Break out common parts of disk config [Ian Jackson]
  • 42219af0df: x86: Refine checks in #DB handler for faulting conditions [Andrew Cooper]
  • 1d5a9ecce1: x86/mm: don't bypass preemption checks [Jan Beulich]
  • eeb15764ad: x86/HVM: account for fully eager FPU mode in emulation [Jan Beulich]
  • 4b9dc6d0e6: x86/spec-ctrl: Mitigations for LazyFPU [Andrew Cooper]
  • 52447b36f1: x86: Support fully eager FPU context switching [Andrew Cooper]
  • 7b35e7807c: xen/x86: use PCID feature [Juergen Gross]
  • 8d48204c6d: xen/x86: add some cr3 helpers [Juergen Gross]
  • b3a7f2f2fe: xen/x86: convert pv_guest_cr4_to_real_cr4() to a function [Juergen Gross]
  • fb781023a4: xen/x86: use flag byte for decision whether xen_cr3 is valid [Juergen Gross]
  • 245eaee519: xen/x86: disable global pages for domains with XPTI active [Juergen Gross]
  • 18833a8830: xen/x86: use invpcid for flushing the TLB [Juergen Gross]
  • 72e5b163a2: xen/x86: support per-domain flag for xpti [Juergen Gross]
  • 27a4161bf0: xen/x86: add a function for modifying cr3 [Juergen Gross]
  • 23114db6ff: x86/xpti: avoid copying L4 page table contents when possible [Juergen Gross]
  • 6300cdd7c2: x86: invpcid support [Wei Liu]
  • 2a0913ede5: x86: move invocations of hvm_flush_guest_tlbs() [Jan Beulich]
  • daaf3dd430: x86/XPTI: fix S3 resume (and CPU offlining in general) [Jan Beulich]
  • c2b84e7cc4: x86/msr: Virtualise MSR_SPEC_CTRL.SSBD for guests to use [Andrew Cooper]
  • 908ddbbe5d: x86/Intel: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • c75bbf1d87: x86/AMD: Mitigations for GPZ SP4 - Speculative Store Bypass [Andrew Cooper]
  • e9dc0a6654: x86/spec_ctrl: Introduce a new `spec-ctrl=` command line argument to replace `bti=` [Andrew Cooper]
  • 470daefec2: x86/cpuid: Improvements to guest policies for speculative sidechannel features [Andrew Cooper]
  • c9fdfbb478: x86/spec_ctrl: Explicitly set Xen's default MSR_SPEC_CTRL value [Andrew Cooper]
  • 49aebf4728: x86/spec_ctrl: Split X86_FEATURE_SC_MSR into PV and HVM variants [Andrew Cooper]
  • 48ad1ab669: x86/spec_ctrl: Elide MSR_SPEC_CTRL handling in idle context when possible [Andrew Cooper]
  • 98a285cb51: x86/spec_ctrl: Rename bits of infrastructure to avoid NATIVE and VMEXIT [Andrew Cooper]
  • cb2a83ff0d: x86/spec_ctrl: Fold the XEN_IBRS_{SET,CLEAR} ALTERNATIVES together [Andrew Cooper]
  • 51b7b5d631: x86/spec_ctrl: Merge bti_ist_info and use_shadow_spec_ctrl into spec_ctrl_flags [Andrew Cooper]
  • 840d6833fc: x86/spec_ctrl: Express Xen's choice of MSR_SPEC_CTRL value as a variable [Andrew Cooper]
  • ec50d21cbf: x86/spec_ctrl: Read MSR_ARCH_CAPABILITIES only once [Andrew Cooper]
  • a0355180b6: viridian: fix cpuid leaf 0x40000003 [Paul Durrant]
  • 8342e3f30a: libacpi: fixes for iasl >= 20180427 [Roger Pau Monné]
  • aaf66de7c5: x86/pv: Hide more EFER bits from PV guests [Andrew Cooper]
  • 7e21b75a21: x86: fix return value checks of set_guest_{machinecheck,nmi}_trapbounce [Jan Beulich]
  • f155f55356: xen/schedule: Fix races in vcpu migration [George Dunlap]
  • 3a903b354c: xen: Introduce vcpu_sleep_nosync_locked() [George Dunlap]
  • 2e2f337085: x86/SVM: Fix intercepted {RD,WR}MSR for the SYS{CALL,ENTER} MSRs [Andrew Cooper]
  • 850e5adf4b: xpti: fix bug in double fault handling [Juergen Gross]
  • 13fa2a464f: x86/HVM: never retain emulated insn cache when exiting back to guest [Jan Beulich]
  • ade8f98917: x86/HPET: fix race triggering ASSERT(cpu < nr_cpu_ids) [David Wang]
  • a7f8880adc: x86/spec_ctrl: Updates to retpoline-safety decision making [Andrew Cooper]
  • 3bb756be2b: x86/pv: Introduce and use x86emul_write_dr() [Andrew Cooper]
  • 1aa630599d: x86/pv: Introduce and use x86emul_read_dr() [Andrew Cooper]
  • d93ae631a4: x86: suppress BTI mitigations around S3 suspend/resume [Jan Beulich]
  • 6b8d820bbe: x86: correct ordering of operations during S3 resume [Jan Beulich]
  • f253feb3fe: update Xen version to 4.10.2-pre [Jan Beulich]
  • 25e0657ed4: x86/HVM: guard against emulator driving ioreq state in weird ways [Jan Beulich]
  • 31c78e9ca3: x86/vpt: add support for IO-APIC routed interrupts [Xen Project Security Team]
  • 07b6f42623: x86/traps: Fix handling of #DB exceptions in hypervisor context [Andrew Cooper]
  • 373d49693a: x86/traps: Use an Interrupt Stack Table for #DB [Andrew Cooper]
  • 9abae6f7a8: x86/pv: Move exception injection into {,compat_}test_all_events() [Andrew Cooper]
  • abe5fb9218: x86/traps: Fix %dr6 handing in #DB handler [Andrew Cooper]

This release also contains changes to qemu-upstream, whose changelogs we do not list here as it contains many changes that are not directly releated to the Xen Project Hypervisor and thus this release. However, you can check https://xenbits.xenproject.org/gitweb/?p=qemu-xen.git;a=shortlog (between tags qemu-xen-4.10.1 and qemu-xen-4.10.2). This release does not contain fixes to qemu-traditional.

This release, which includes source code for qemu-traditional and qemu-upstream, contains the following security fixes. 

XSA Xen qemu-traditional qemu-upstream 
XSA-260 Applied N/A N/A
XSA-261 Applied N/A N/A
XSA-262 Applied N/A N/A
XSA-263 Applied N/A N/A
XSA-264 Applied N/A N/A
XSA-265 Applied N/A N/A
XSA-266 Applied N/A N/A
XSA-267 Applied N/A N/A
XSA-268 Applied N/A N/A
XSA-269 Applied N/A N/A
XSA-270 N/A (Linux only) ... ...
XSA-271 N/A (XAPI only) ... ...
XSA-272 Applied N/A N/A
XSA-273 Applied N/A N/A
XSA-274 N/A (Linux only) ... ...

See https://xenbits.xenproject.org/xsa/ for details related to Xen Project security advisories.

We recommend all users of the 4.10 stable series to update to this latest point release.