Security updates for Intel Hardware
A few days after releasing the previous batch of updates for XCP-ng, Intel publicly released updated microcode for CPU models still under support, and the Xen project released patches concerning the related security issues.
Security updates are available for the two supported releases of XCP-ng: 7.6 and 8.0. We advise you to apply firmware updates from your vendor and update your XCP-ng hosts soon.
To update, follow this guide. Join the discussion on our community forum.
Reboot after updating.
Extra steps are required to fully enable the mitigations if you choose to do so. Please read carefully.
Related: https://support.citrix.com/article/CTX263684
XSA-304: a hardware bug allowing a malicious guest kernel to crash the host
References:
- http://xenbits.xen.org/xsa/advisory-304.html
- https://software.intel.com/security-software-guidance/insights/deep-dive-machine-check-error-avoidance-page-size-change
Impact
A malicious guest kernel can crash the host, resulting in a Denial of
Service (DoS). (This CPU bug may also be triggered accidentally.)
Vulnerable systems
Only Intel Core based processors (from Nehalem onwards) are affected. Other processors designs (Intel Atom/Knights range), and other manufacturers (AMD) are not known to be affected.
Only x86 HVM/PVH guests can exploit the vulnerability. x86 PV guests cannot exploit the vulnerability.
Mitigation and resolution
See the Xen advisory for details.
Applying the updates on your XCP-ng hosts will not solve the issue by default. The mitigation for this issue comes with a significant performance impact, so you need to choose between performance and safety.
If you want the fix to be applied, at the cost of performance, follow these instructions. It can be done before the reboot of the host, after installing the updates.
XSA-305: "TSX Asynchronous Abort (TAA) speculative side channel"
References:
- http://xenbits.xen.org/xsa/advisory-305.html
- https://software.intel.com/security-software-guidance/insights/deep-dive-intel-transactional-synchronization-extensions-intel-tsx-asynchronous-abort
Impact
This is yet again a hardware flaw that can allow a malicious user process to sample data from recently-used memory and IO Port writes.
See the Xen advisory for details.
Vulnerable systems
Only Intel processors supporting TSX (Transactional Synchronization
eXtensions) are affected.
Not all of those are affected, depending on several criteria. See the Xen advisory for details if interested. Otherwise just apply the updates.
Resolution
The resolution involves updated microcode and updated Xen.
This will disable TSX by default when needed.
For specific workloads that require the TSX feature, the Xen advisory gives another way to protect your hosts (see "Option B"). If you're unsure if you need it, you probably don't need it: it's very specific.
Driver update for Intel 700 Series NICs
Intel not only released updated microcode for CPUs, it also released updated firmware for the Intel 700 Series NICs.
Consequently, the intel-i40e
driver package has been updated in XCP-ng 8.0 to a version that supports the newer firmware.
In XCP-ng 7.6, the package is also available but not updated by default, due to uncertainties regarding its full compatibility with the older kernel that XCP-ng 7.6 uses. You can install it with: yum update intel-i40e --enablerepo=xcp-ng-updates_testing
if you need it.