aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--system/xen/dom0/config-5.15.139-xen.x86_64 (renamed from system/xen/dom0/config-5.15.94-xen.x86_64)29
-rw-r--r--system/xen/dom0/kernel-xen.sh4
-rw-r--r--system/xen/domU/domU.sh2
-rw-r--r--system/xen/patches/edk2-ovmf-202105-werror.patch38
-rw-r--r--system/xen/patches/edk2-ovmf-werror.diff34
-rw-r--r--system/xen/patches/qemu-remove-password-option-for-spice.patch123
-rw-r--r--system/xen/patches/symlinks_instead_of_hardlinks.diff21
-rw-r--r--system/xen/xen.SlackBuild17
-rw-r--r--system/xen/xen.info18
-rw-r--r--system/xen/xsa/xsa437.patch110
10 files changed, 197 insertions, 199 deletions
diff --git a/system/xen/dom0/config-5.15.94-xen.x86_64 b/system/xen/dom0/config-5.15.139-xen.x86_64
index a84c93e24e4da..b5c74fb8ff28e 100644
--- a/system/xen/dom0/config-5.15.94-xen.x86_64
+++ b/system/xen/dom0/config-5.15.139-xen.x86_64
@@ -1,6 +1,6 @@
#
# Automatically generated file; DO NOT EDIT.
-# Linux/x86 5.15.94 Kernel Configuration
+# Linux/x86 5.15.139 Kernel Configuration
#
CONFIG_CC_VERSION_TEXT="gcc (GCC) 11.2.0"
CONFIG_CC_IS_GCC=y
@@ -18,6 +18,7 @@ CONFIG_CC_HAS_ASM_GOTO_OUTPUT=y
CONFIG_CC_HAS_ASM_GOTO_TIED_OUTPUT=y
CONFIG_CC_HAS_ASM_INLINE=y
CONFIG_CC_HAS_NO_PROFILE_FN_ATTR=y
+CONFIG_PAHOLE_VERSION=0
CONFIG_IRQ_WORK=y
CONFIG_BUILDTIME_TABLE_SORT=y
CONFIG_THREAD_INFO_IN_TASK=y
@@ -442,7 +443,7 @@ CONFIG_I8K=m
CONFIG_MICROCODE=y
CONFIG_MICROCODE_INTEL=y
CONFIG_MICROCODE_AMD=y
-CONFIG_MICROCODE_OLD_INTERFACE=y
+# CONFIG_MICROCODE_LATE_LOADING is not set
CONFIG_X86_MSR=y
CONFIG_X86_CPUID=y
# CONFIG_X86_5LEVEL is not set
@@ -525,6 +526,8 @@ CONFIG_RETHUNK=y
CONFIG_CPU_UNRET_ENTRY=y
CONFIG_CPU_IBPB_ENTRY=y
CONFIG_CPU_IBRS_ENTRY=y
+CONFIG_CPU_SRSO=y
+# CONFIG_GDS_FORCE_MITIGATION is not set
CONFIG_ARCH_HAS_ADD_PAGES=y
CONFIG_ARCH_MHP_MEMMAP_ON_MEMORY_ENABLE=y
CONFIG_USE_PERCPU_NUMA_NODE_ID=y
@@ -756,6 +759,7 @@ CONFIG_GENERIC_SMP_IDLE_THREAD=y
CONFIG_ARCH_HAS_FORTIFY_SOURCE=y
CONFIG_ARCH_HAS_SET_MEMORY=y
CONFIG_ARCH_HAS_SET_DIRECT_MAP=y
+CONFIG_ARCH_HAS_CPU_FINALIZE_INIT=y
CONFIG_HAVE_ARCH_THREAD_STRUCT_WHITELIST=y
CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT=y
CONFIG_ARCH_WANTS_NO_INSTR=y
@@ -1517,13 +1521,6 @@ CONFIG_IP6_NF_TARGET_NPT=m
# end of IPv6: Netfilter Configuration
CONFIG_NF_DEFRAG_IPV6=m
-
-#
-# DECnet: Netfilter Configuration
-#
-# CONFIG_DECNET_NF_GRABULATOR is not set
-# end of DECnet: Netfilter Configuration
-
CONFIG_NF_TABLES_BRIDGE=m
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m
@@ -1627,8 +1624,6 @@ CONFIG_NET_DSA_TAG_XRS700X=m
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
-CONFIG_DECNET=m
-# CONFIG_DECNET_ROUTER is not set
CONFIG_LLC=m
CONFIG_LLC2=m
CONFIG_ATALK=m
@@ -1703,14 +1698,11 @@ CONFIG_NET_SCH_ETS=m
#
CONFIG_NET_CLS=y
CONFIG_NET_CLS_BASIC=m
-CONFIG_NET_CLS_TCINDEX=m
CONFIG_NET_CLS_ROUTE4=m
CONFIG_NET_CLS_FW=m
CONFIG_NET_CLS_U32=m
# CONFIG_CLS_U32_PERF is not set
CONFIG_CLS_U32_MARK=y
-CONFIG_NET_CLS_RSVP=m
-CONFIG_NET_CLS_RSVP6=m
CONFIG_NET_CLS_FLOW=m
CONFIG_NET_CLS_CGROUP=y
CONFIG_NET_CLS_BPF=m
@@ -2528,7 +2520,6 @@ CONFIG_BLK_DEV_CRYPTOLOOP=m
CONFIG_BLK_DEV_DRBD=m
# CONFIG_DRBD_FAULT_INJECTION is not set
CONFIG_BLK_DEV_NBD=m
-CONFIG_BLK_DEV_SX8=m
CONFIG_BLK_DEV_RAM=y
CONFIG_BLK_DEV_RAM_COUNT=16
CONFIG_BLK_DEV_RAM_SIZE=16384
@@ -8173,9 +8164,10 @@ CONFIG_AMILO_RFKILL=m
CONFIG_FUJITSU_LAPTOP=m
CONFIG_FUJITSU_TABLET=m
CONFIG_GPD_POCKET_FAN=m
+CONFIG_X86_PLATFORM_DRIVERS_HP=y
CONFIG_HP_ACCEL=m
-CONFIG_WIRELESS_HOTKEY=m
CONFIG_HP_WMI=m
+CONFIG_WIRELESS_HOTKEY=m
CONFIG_IBM_RTL=m
CONFIG_IDEAPAD_LAPTOP=m
CONFIG_SENSORS_HDAPS=m
@@ -8572,6 +8564,11 @@ CONFIG_XILINX_XADC=m
# end of Analog to digital converters
#
+# Analog to digital and digital to analog converters
+#
+# end of Analog to digital and digital to analog converters
+
+#
# Analog Front Ends
#
# end of Analog Front Ends
diff --git a/system/xen/dom0/kernel-xen.sh b/system/xen/dom0/kernel-xen.sh
index 17a79170b502c..0741ee7ce9216 100644
--- a/system/xen/dom0/kernel-xen.sh
+++ b/system/xen/dom0/kernel-xen.sh
@@ -5,8 +5,8 @@
# Written by Chris Abela <chris.abela@maltats.com>, 20100515
# Modified by Mario Preksavec <mario@slackware.hr>
-KERNEL=${KERNEL:-5.15.94}
-XEN=${XEN:-4.17.1}
+KERNEL=${KERNEL:-5.15.139}
+XEN=${XEN:-4.18.0}
ROOTMOD=${ROOTMOD:-ext4}
ROOTFS=${ROOTFS:-ext4}
diff --git a/system/xen/domU/domU.sh b/system/xen/domU/domU.sh
index 9df7b99008e72..4b167fc63a627 100644
--- a/system/xen/domU/domU.sh
+++ b/system/xen/domU/domU.sh
@@ -7,7 +7,7 @@
set -e
-KERNEL=${KERNEL:-5.15.94}
+KERNEL=${KERNEL:-5.15.139}
# Build an image for the root file system and another for the swap
# Default values : 8GB and 500MB resepectively.
diff --git a/system/xen/patches/edk2-ovmf-202105-werror.patch b/system/xen/patches/edk2-ovmf-202105-werror.patch
deleted file mode 100644
index db71faed77286..0000000000000
--- a/system/xen/patches/edk2-ovmf-202105-werror.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-diff --git a/BaseTools/Conf/tools_def.template b/BaseTools/Conf/tools_def.template
-index 498696e..8a360f4 100755
---- a/BaseTools/Conf/tools_def.template
-+++ b/BaseTools/Conf/tools_def.template
-@@ -1863,7 +1863,7 @@ NOOPT_*_*_OBJCOPY_ADDDEBUGFLAG = --add-gnu-debuglink=$(DEBUG_DIR)/$(MODULE_N
- *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
- *_*_*_DTC_PATH = DEF(DTC_BIN)
-
--DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
-+DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
- DEFINE GCC_IA32_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -m32 -malign-double -freorder-blocks -freorder-blocks-and-partition -O2 -mno-stack-arg-probe
- DEFINE GCC_X64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mno-red-zone -Wno-address -mno-stack-arg-probe
- DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -mfloat-abi=soft -fno-pic -fno-pie
-diff --git a/BaseTools/Source/C/Makefiles/header.makefile b/BaseTools/Source/C/Makefiles/header.makefile
-index 0df728f..49f9706 100644
---- a/BaseTools/Source/C/Makefiles/header.makefile
-+++ b/BaseTools/Source/C/Makefiles/header.makefile
-@@ -82,17 +82,17 @@ BUILD_OPTFLAGS = -O2 $(EXTRA_OPTFLAGS)
-
- ifeq ($(DARWIN),Darwin)
- # assume clang or clang compatible flags on OS X
--BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
-+BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
- -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
- else
- ifeq ($(CXX), llvm)
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-self-assign \
- -Wno-unused-result -nostdlib -g
- else
- BUILD_CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
---fno-delete-null-pointer-checks -Wall -Werror \
-+-fno-delete-null-pointer-checks -Wall \
- -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
- -Wno-unused-result -nostdlib -g
- endif
diff --git a/system/xen/patches/edk2-ovmf-werror.diff b/system/xen/patches/edk2-ovmf-werror.diff
new file mode 100644
index 0000000000000..49915c25c9498
--- /dev/null
+++ b/system/xen/patches/edk2-ovmf-werror.diff
@@ -0,0 +1,34 @@
+--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template.ORIG 2023-05-24 14:59:54.000000000 +0200
++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Conf/tools_def.template 2023-12-05 03:34:17.395390728 +0100
+@@ -739,7 +739,7 @@
+ *_*_*_DTCPP_PATH = DEF(DTCPP_BIN)
+ *_*_*_DTC_PATH = DEF(DTC_BIN)
+
+-DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Werror -Wno-array-bounds -include AutoGen.h -fno-common
++DEFINE GCC_ALL_CC_FLAGS = -g -Os -fshort-wchar -fno-builtin -fno-strict-aliasing -Wall -Wno-array-bounds -include AutoGen.h -fno-common
+ DEFINE GCC_ARM_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mlittle-endian -mabi=aapcs -fno-short-enums -funsigned-char -ffunction-sections -fdata-sections -fomit-frame-pointer -Wno-address -mthumb -fno-pic -fno-pie
+ DEFINE GCC_LOONGARCH64_CC_FLAGS = DEF(GCC_ALL_CC_FLAGS) -mabi=lp64d -fno-asynchronous-unwind-tables -fno-plt -Wno-address -fno-short-enums -fsigned-char -ffunction-sections -fdata-sections
+ DEFINE GCC_ARM_CC_XIPFLAGS = -mno-unaligned-access
+--- xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile.ORIG 2023-05-24 14:59:54.000000000 +0200
++++ xen-4.18.0/tools/firmware/ovmf-dir-remote/BaseTools/Source/C/Makefiles/header.makefile 2023-12-05 03:36:03.531794147 +0100
+@@ -89,17 +89,17 @@
+
+ ifeq ($(DARWIN),Darwin)
+ # assume clang or clang compatible flags on OS X
+-CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall -Werror \
++CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign -Wno-unused-result -nostdlib -g
+ else
+ ifneq ($(CLANG),)
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-self-assign \
+ -Wno-unused-result -nostdlib -g
+ else
+ CFLAGS = -MD -fshort-wchar -fno-strict-aliasing -fwrapv \
+--fno-delete-null-pointer-checks -Wall -Werror \
++-fno-delete-null-pointer-checks -Wall \
+ -Wno-deprecated-declarations -Wno-stringop-truncation -Wno-restrict \
+ -Wno-unused-result -nostdlib -g
+ endif
diff --git a/system/xen/patches/qemu-remove-password-option-for-spice.patch b/system/xen/patches/qemu-remove-password-option-for-spice.patch
new file mode 100644
index 0000000000000..210d9d99f3309
--- /dev/null
+++ b/system/xen/patches/qemu-remove-password-option-for-spice.patch
@@ -0,0 +1,123 @@
+From 36debafddd788066be10b33c5f11b984a08e5c85 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
+Date: Thu, 1 Dec 2022 04:22:11 -0500
+Subject: [PATCH] ui: remove deprecated 'password' option for SPICE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This has been replaced by the 'password-secret' option,
+which references a 'secret' object instance.
+
+Reviewed-by: Fabiano Rosas <farosas@suse.de>
+Reviewed-by: Markus Armbruster <armbru@redhat.com>
+Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
+---
+ docs/about/deprecated.rst | 8 --------
+ docs/about/removed-features.rst | 7 +++++++
+ qemu-options.hx | 9 +--------
+ ui/spice-core.c | 15 ---------------
+ 4 files changed, 8 insertions(+), 31 deletions(-)
+
+diff --git a/docs/about/deprecated.rst b/docs/about/deprecated.rst
+index d31ffa86d40..2827b0c0beb 100644
+--- a/docs/about/deprecated.rst
++++ b/docs/about/deprecated.rst
+@@ -66,14 +66,6 @@ and will cause a warning.
+ The replacement for the ``nodelay`` short-form boolean option is ``nodelay=on``
+ rather than ``delay=off``.
+
+-``-spice password=string`` (since 6.0)
+-''''''''''''''''''''''''''''''''''''''
+-
+-This option is insecure because the SPICE password remains visible in
+-the process listing. This is replaced by the new ``password-secret``
+-option which lets the password be securely provided on the command
+-line using a ``secret`` object instance.
+-
+ ``-smp`` ("parameter=0" SMP configurations) (since 6.2)
+ '''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
+diff --git a/docs/about/removed-features.rst b/docs/about/removed-features.rst
+index 4a84e6174fe..e901637ce5f 100644
+--- a/docs/about/removed-features.rst
++++ b/docs/about/removed-features.rst
+@@ -428,6 +428,13 @@ respectively. The actual backend names should be used instead.
+ Use ``-drive if=pflash`` to configure the OTP device of the sifive_u
+ RISC-V machine instead.
+
++``-spice password=string`` (removed in 8.0)
++'''''''''''''''''''''''''''''''''''''''''''
++
++This option was insecure because the SPICE password remained visible in
++the process listing. This was replaced by the new ``password-secret``
++option which lets the password be securely provided on the command
++line using a ``secret`` object instance.
+
+ QEMU Machine Protocol (QMP) commands
+ ------------------------------------
+diff --git a/qemu-options.hx b/qemu-options.hx
+index e79ff4d8fb9..cafd8be8eda 100644
+--- a/qemu-options.hx
++++ b/qemu-options.hx
+@@ -2135,7 +2135,7 @@ DEF("spice", HAS_ARG, QEMU_OPTION_spice,
+ " [,tls-channel=[main|display|cursor|inputs|record|playback]]\n"
+ " [,plaintext-channel=[main|display|cursor|inputs|record|playback]]\n"
+ " [,sasl=on|off][,disable-ticketing=on|off]\n"
+- " [,password=<string>][,password-secret=<secret-id>]\n"
++ " [,password-secret=<secret-id>]\n"
+ " [,image-compression=[auto_glz|auto_lz|quic|glz|lz|off]]\n"
+ " [,jpeg-wan-compression=[auto|never|always]]\n"
+ " [,zlib-glz-wan-compression=[auto|never|always]]\n"
+@@ -2161,13 +2161,6 @@ SRST
+ ``ipv4=on|off``; \ ``ipv6=on|off``; \ ``unix=on|off``
+ Force using the specified IP version.
+
+- ``password=<string>``
+- Set the password you need to authenticate.
+-
+- This option is deprecated and insecure because it leaves the
+- password visible in the process listing. Use ``password-secret``
+- instead.
+-
+ ``password-secret=<secret-id>``
+ Set the ID of the ``secret`` object containing the password
+ you need to authenticate.
+diff --git a/ui/spice-core.c b/ui/spice-core.c
+index 72f8f1681c6..76f7c2bc3d1 100644
+--- a/ui/spice-core.c
++++ b/ui/spice-core.c
+@@ -412,9 +412,6 @@ static QemuOptsList qemu_spice_opts = {
+ .name = "unix",
+ .type = QEMU_OPT_BOOL,
+ #endif
+- },{
+- .name = "password",
+- .type = QEMU_OPT_STRING,
+ },{
+ .name = "password-secret",
+ .type = QEMU_OPT_STRING,
+@@ -666,20 +663,8 @@ static void qemu_spice_init(void)
+ }
+ passwordSecret = qemu_opt_get(opts, "password-secret");
+ if (passwordSecret) {
+- if (qemu_opt_get(opts, "password")) {
+- error_report("'password' option is mutually exclusive with "
+- "'password-secret'");
+- exit(1);
+- }
+ password = qcrypto_secret_lookup_as_utf8(passwordSecret,
+ &error_fatal);
+- } else {
+- str = qemu_opt_get(opts, "password");
+- if (str) {
+- warn_report("'password' option is deprecated and insecure, "
+- "use 'password-secret' instead");
+- password = g_strdup(str);
+- }
+ }
+
+ if (tls_port) {
+--
+GitLab
+
diff --git a/system/xen/patches/symlinks_instead_of_hardlinks.diff b/system/xen/patches/symlinks_instead_of_hardlinks.diff
index d7cbfb6544716..c4a38e3bc0f9c 100644
--- a/system/xen/patches/symlinks_instead_of_hardlinks.diff
+++ b/system/xen/patches/symlinks_instead_of_hardlinks.diff
@@ -1,15 +1,15 @@
---- xen-4.15.0/tools/xenstore/Makefile.orig 2021-04-06 19:14:18.000000000 +0200
-+++ xen-4.15.0/tools/xenstore/Makefile 2021-04-09 20:43:12.613910598 +0200
-@@ -76,7 +76,7 @@
- $(AR) cr $@ $^
+--- xen-4.18.0/tools/xs-clients/Makefile.ORIG 2023-11-16 22:44:21.000000000 +0100
++++ xen-4.18.0/tools/xs-clients/Makefile 2023-12-05 03:01:05.801759446 +0100
+@@ -29,7 +29,7 @@
+ clients: xenstore $(CLIENTS) xenstore-control
$(CLIENTS): xenstore
- ln -f xenstore $@
+ ln -sf xenstore $@
xenstore: xenstore_client.o
- $(CC) $< $(LDFLAGS) $(LDLIBS_libxenstore) $(LDLIBS_libxentoolcore) $(SOCKET_LIBS) -o $@ $(APPEND_LDFLAGS)
-@@ -117,7 +117,7 @@
+ $(CC) $(LDFLAGS) $^ $(LDLIBS) -o $@ $(APPEND_LDFLAGS)
+@@ -54,7 +54,7 @@
$(INSTALL_PROG) xenstore-control $(DESTDIR)$(bindir)
$(INSTALL_PROG) xenstore $(DESTDIR)$(bindir)
set -e ; for c in $(CLIENTS) ; do \
@@ -18,12 +18,3 @@
done
.PHONY: uninstall
-@@ -144,7 +144,7 @@
- $(INSTALL_DIR) $(DESTDIR)$(bindir)
- $(INSTALL_PROG) xenstore $(DESTDIR)$(bindir)
- set -e ; for c in $(CLIENTS) ; do \
-- ln -f $(DESTDIR)$(bindir)/xenstore $(DESTDIR)$(bindir)/$${c} ; \
-+ ln -sf xenstore $(DESTDIR)$(bindir)/$${c} ; \
- done
-
- -include $(DEPS_INCLUDE)
diff --git a/system/xen/xen.SlackBuild b/system/xen/xen.SlackBuild
index 4bee50e1e26b8..5f3f380186f6a 100644
--- a/system/xen/xen.SlackBuild
+++ b/system/xen/xen.SlackBuild
@@ -25,14 +25,14 @@
cd $(dirname $0) ; CWD=$(pwd)
PRGNAM=xen
-VERSION=${VERSION:-4.17.2}
+VERSION=${VERSION:-4.18.0}
BUILD=${BUILD:-1}
TAG=${TAG:-_SBo}
PKGTYPE=${PKGTYPE:-tgz}
-SEABIOS=${SEABIOS:-1.16.0}
-OVMF=${OVMF:-20210824_7b4a99be8a}
-IPXE=${IPXE:-3c040ad387099483102708bb1839110bc788cefb}
+SEABIOS=${SEABIOS:-1.16.2}
+OVMF=${OVMF:-20230524_ba91d0292e}
+IPXE=${IPXE:-1d1cf74a5e58811822bee4b3da3cff7282fcdfca}
if [ -z "$ARCH" ]; then
case "$( uname -m )" in
@@ -169,19 +169,20 @@ patch -p1 <$CWD/patches/stubdom_zlib_disable_man_install.diff
# Fix glibc-2.27 build
if [ "$(ldd --version | awk '{print $NF; exit}')" = "2.27" ]; then
- ( cd tools/qemu-xen && patch -p1 <$CWD/patches/glibc-memfd_fix_configure_test.patch )
+ tools/qemu-xen && patch -d tools/qemu-xen -p1 <$CWD/patches/glibc-memfd_fix_configure_test.patch
fi
# Fix ovmf firmware build
-( cd tools/firmware/ovmf-dir-remote && \
- patch -p1 <$CWD/patches/edk2-ovmf-202105-werror.patch
-)
+patch -p1 <$CWD/patches/edk2-ovmf-werror.diff
# Fix binutils-2.36 build
if [ "$(objcopy --version | awk '{print $NF; exit}' | cut -d- -f1)" = "2.36" ]; then
patch -p1 <$CWD/patches/qemu-xen-no-pie.diff
fi
+# Revert QEMU password removal for spice
+patch -d tools/qemu-xen -p1 -R <$CWD/patches/qemu-remove-password-option-for-spice.patch
+
CFLAGS="$SLKCFLAGS" \
CXXFLAGS="$SLKCFLAGS" \
./configure \
diff --git a/system/xen/xen.info b/system/xen/xen.info
index e1a3760f26096..83847ec03174d 100644
--- a/system/xen/xen.info
+++ b/system/xen/xen.info
@@ -1,10 +1,10 @@
PRGNAM="xen"
-VERSION="4.17.2"
+VERSION="4.18.0"
HOMEPAGE="http://www.xenproject.org/"
DOWNLOAD="UNSUPPORTED"
MD5SUM=""
-DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.17.2.tar.gz \
- http://mirror.slackware.hr/sources/xen-extfiles/ipxe-git-3c040ad387099483102708bb1839110bc788cefb.tar.gz \
+DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.18.0.tar.gz \
+ http://mirror.slackware.hr/sources/xen-extfiles/ipxe-git-1d1cf74a5e58811822bee4b3da3cff7282fcdfca.tar.gz \
http://mirror.slackware.hr/sources/xen-extfiles/lwip-1.3.0.tar.gz \
http://mirror.slackware.hr/sources/xen-extfiles/zlib-1.2.3.tar.gz \
http://mirror.slackware.hr/sources/xen-extfiles/newlib-1.16.0.tar.gz \
@@ -13,10 +13,10 @@ DOWNLOAD_x86_64="http://mirror.slackware.hr/sources/xen/xen-4.17.2.tar.gz \
http://mirror.slackware.hr/sources/xen-extfiles/polarssl-1.1.4-gpl.tgz \
http://mirror.slackware.hr/sources/xen-extfiles/gmp-4.3.2.tar.bz2 \
http://mirror.slackware.hr/sources/xen-extfiles/tpm_emulator-0.7.4.tar.gz \
- http://mirror.slackware.hr/sources/xen-seabios/seabios-1.16.0.tar.gz \
- http://mirror.slackware.hr/sources/xen-ovmf/xen-ovmf-20210824_7b4a99be8a.tar.bz2"
-MD5SUM_x86_64="f344056c4566ac1627db46ea92588c3a \
- 23ba00d5e2c5b4343d12665af73e1cb5 \
+ http://mirror.slackware.hr/sources/xen-seabios/seabios-1.16.2.tar.gz \
+ http://mirror.slackware.hr/sources/xen-ovmf/xen-ovmf-20230524_ba91d0292e.tar.bz2"
+MD5SUM_x86_64="c564d641a8638cfd43a0a810ebce2179 \
+ 0d0dc7451b47f2c7a2992bbec20bf4d0 \
36cc57650cffda9a0269493be2a169bb \
debc62758716a169df9f62e6ab2bc634 \
bf8f1f9e3ca83d732c00a79a6ef29bc4 \
@@ -25,8 +25,8 @@ MD5SUM_x86_64="f344056c4566ac1627db46ea92588c3a \
7b72caf22b01464ee7d6165f2fd85f44 \
dd60683d7057917e34630b4a787932e8 \
e26becb8a6a2b6695f6b3e8097593db8 \
- 1411e7647ef93424fe88fea5d0ef9a82 \
- 322d42a3378394b5486acc1564651a4f"
+ ef52bf37a78e78a082688a244300ab86 \
+ 00968782d77aa244952c8236c299c45b"
REQUIRES="acpica yajl"
MAINTAINER="Mario Preksavec"
EMAIL="mario at slackware dot hr"
diff --git a/system/xen/xsa/xsa437.patch b/system/xen/xsa/xsa437.patch
deleted file mode 100644
index 18c9f8fc103c9..0000000000000
--- a/system/xen/xsa/xsa437.patch
+++ /dev/null
@@ -1,110 +0,0 @@
-From 7fac5971340a13ca9458195305bcfe14df2e52d2 Mon Sep 17 00:00:00 2001
-From: Stefano Stabellini <stefano.stabellini@amd.com>
-Date: Thu, 17 Aug 2023 13:41:35 +0100
-Subject: [PATCH] xen/arm: page: Handle cache flush of an element at the top of
- the address space
-
-The region that needs to be cleaned/invalidated may be at the top
-of the address space. This means that 'end' (i.e. 'p + size') will
-be 0 and therefore nothing will be cleaned/invalidated as the check
-in the loop will always be false.
-
-On Arm64, we only support we only support up to 48-bit Virtual
-address space. So this is not a concern there. However, for 32-bit,
-the mapcache is using the last 2GB of the address space. Therefore
-we may not clean/invalidate properly some pages. This could lead
-to memory corruption or data leakage (the scrubbed value may
-still sit in the cache when the guest could read directly the memory
-and therefore read the old content).
-
-Rework invalidate_dcache_va_range(), clean_dcache_va_range(),
-clean_and_invalidate_dcache_va_range() to handle a cache flush
-with an element at the top of the address space.
-
-This is CVE-2023-34321 / XSA-437.
-
-Reported-by: Julien Grall <jgrall@amazon.com>
-Signed-off-by: Stefano Stabellini <stefano.stabellini@amd.com>
-Signed-off-by: Julien Grall <jgrall@amazon.com>
-Acked-by: Bertrand Marquis <bertrand.marquis@arm.com>
-
----
- xen/arch/arm/include/asm/page.h | 33 ++++++++++++++++++++-------------
- 1 file changed, 20 insertions(+), 13 deletions(-)
-
-diff --git a/xen/arch/arm/include/asm/page.h b/xen/arch/arm/include/asm/page.h
-index e7cd62190c7f..d7fe770a5e49 100644
---- a/xen/arch/arm/include/asm/page.h
-+++ b/xen/arch/arm/include/asm/page.h
-@@ -160,26 +160,25 @@ static inline size_t read_dcache_line_bytes(void)
-
- static inline int invalidate_dcache_va_range(const void *p, unsigned long size)
- {
-- const void *end = p + size;
- size_t cacheline_mask = dcache_line_bytes - 1;
-
- dsb(sy); /* So the CPU issues all writes to the range */
-
- if ( (uintptr_t)p & cacheline_mask )
- {
-+ size -= dcache_line_bytes - ((uintptr_t)p & cacheline_mask);
- p = (void *)((uintptr_t)p & ~cacheline_mask);
- asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
- p += dcache_line_bytes;
- }
-- if ( (uintptr_t)end & cacheline_mask )
-- {
-- end = (void *)((uintptr_t)end & ~cacheline_mask);
-- asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (end));
-- }
-
-- for ( ; p < end; p += dcache_line_bytes )
-+ for ( ; size >= dcache_line_bytes;
-+ p += dcache_line_bytes, size -= dcache_line_bytes )
- asm volatile (__invalidate_dcache_one(0) : : "r" (p));
-
-+ if ( size > 0 )
-+ asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
-+
- dsb(sy); /* So we know the flushes happen before continuing */
-
- return 0;
-@@ -187,10 +186,14 @@ static inline int invalidate_dcache_va_range(const void *p, unsigned long size)
-
- static inline int clean_dcache_va_range(const void *p, unsigned long size)
- {
-- const void *end = p + size;
-+ size_t cacheline_mask = dcache_line_bytes - 1;
-+
- dsb(sy); /* So the CPU issues all writes to the range */
-- p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1));
-- for ( ; p < end; p += dcache_line_bytes )
-+ size += (uintptr_t)p & cacheline_mask;
-+ size = (size + cacheline_mask) & ~cacheline_mask;
-+ p = (void *)((uintptr_t)p & ~cacheline_mask);
-+ for ( ; size >= dcache_line_bytes;
-+ p += dcache_line_bytes, size -= dcache_line_bytes )
- asm volatile (__clean_dcache_one(0) : : "r" (p));
- dsb(sy); /* So we know the flushes happen before continuing */
- /* ARM callers assume that dcache_* functions cannot fail. */
-@@ -200,10 +203,14 @@ static inline int clean_dcache_va_range(const void *p, unsigned long size)
- static inline int clean_and_invalidate_dcache_va_range
- (const void *p, unsigned long size)
- {
-- const void *end = p + size;
-+ size_t cacheline_mask = dcache_line_bytes - 1;
-+
- dsb(sy); /* So the CPU issues all writes to the range */
-- p = (void *)((uintptr_t)p & ~(dcache_line_bytes - 1));
-- for ( ; p < end; p += dcache_line_bytes )
-+ size += (uintptr_t)p & cacheline_mask;
-+ size = (size + cacheline_mask) & ~cacheline_mask;
-+ p = (void *)((uintptr_t)p & ~cacheline_mask);
-+ for ( ; size >= dcache_line_bytes;
-+ p += dcache_line_bytes, size -= dcache_line_bytes )
- asm volatile (__clean_and_invalidate_dcache_one(0) : : "r" (p));
- dsb(sy); /* So we know the flushes happen before continuing */
- /* ARM callers assume that dcache_* functions cannot fail. */
---
-2.40.1
-