XCP-ng

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Updates announcements and testing

    News
    61
    545
    192820
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stormi
      stormi Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by

      New security updates (xen, Intel microcode)

      Impact: host crash by exploiting PCI passthrough from a VM

      Citrix' security bulletin: https://support.citrix.com/article/CTX390511

      Test on XCP-ng 8.2

      From an up to date host:

      yum clean metadata --enablerepo=xcp-ng-testing
      yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
      reboot
      

      Versions:

      • xen-*: 4.13.4-9.21.1.xcpng8.2

      What to test

      Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

      Test window before official release of the updates

      ~2 days.

      A J 2 Replies Last reply Reply Quote 0
      • olivierlambert
        olivierlambert Vates ๐Ÿช Co-Founder๐Ÿฆธ CEO ๐Ÿง‘โ€๐Ÿ’ผ last edited by

        Tested here on one home lab machine, it works ๐Ÿ‘

        1 Reply Last reply Reply Quote 0
        • A
          Andrew Top contributor ๐Ÿ’ช @stormi last edited by

          @stormi Post update, things are working as normal on my hosts.

          1 Reply Last reply Reply Quote 2
          • H
            HeMaN last edited by

            updated and all fine

            1 Reply Last reply Reply Quote 2
            • J
              JeffBerntsen @stormi last edited by

              @stormi Seems to be working well for me too.

              1 Reply Last reply Reply Quote 1
              • stormi
                stormi Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by

                Thanks for your tests. Xen developers have found an issue in the patches so I will provide a new test package when ready. The issue is rather specific so I doubt your hosts will be affected, but if you prefer to revert you can with: yum downgrade "xen-*".

                1 Reply Last reply Reply Quote 0
                • stormi
                  stormi Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by stormi

                  So, new packages are now available for this security update, which now have fixes for the regressions the previous fixes caused.

                  Note that you were really unlikely to be directly affected by those regressions. They have been detected by code analysis tools, but all other CI tests did already pass with the previous update (Xen's CI, Citrix' CI, XCP-ng's CI).

                  Install the update with:

                  yum clean metadata --enablerepo=xcp-ng-testing
                  yum update xen-dom0-libs xen-dom0-tools xen-hypervisor xen-libs xen-tools --enablerepo=xcp-ng-testing
                  reboot
                  

                  Version for xen-*: 4.13.4-9.21.1.xcpng8.2

                  If I could get feedback on it within 24h, this would be wonderful.

                  A theAeon 2 Replies Last reply Reply Quote 0
                  • olivierlambert
                    olivierlambert Vates ๐Ÿช Co-Founder๐Ÿฆธ CEO ๐Ÿง‘โ€๐Ÿ’ผ last edited by

                    Tested and OK here ๐Ÿ‘

                    1 Reply Last reply Reply Quote 1
                    • A
                      Andrew Top contributor ๐Ÿ’ช @stormi last edited by

                      @stormi Updates ran fine. Systems seem to be working.

                      1 Reply Last reply Reply Quote 2
                      • theAeon
                        theAeon @stormi last edited by

                        just joining the crowd of "seems fine"

                        1 Reply Last reply Reply Quote 2
                        • stormi
                          stormi Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by

                          Thank you everyone.

                          The update is published: https://xcp-ng.org/blog/2022/04/11/april-2022-security-update/

                          1 Reply Last reply Reply Quote 1
                          • gduperrey
                            gduperrey Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by gduperrey

                            New updates (xen, Intel & AMD microcode)

                            • Update the Intel microcode for the "IPU 2022.1" vulnerability (and other vulnerabilities and bugs)
                              • "A potential security vulnerability in some Intelยฎ Processors may allow information disclosure. Intel is releasing firmware updates to mitigate this potential vulnerability."
                              • See https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00617.html
                            • Update AMD microcode for Fam17h and Fam19h
                            • Citrix also released an update for Xen. As we had already anticipated the patches they added (that fixed regressions introduced by the fixes to the XSA-400 vulnerabilities), it does not change anything for XCP-ng. We synced our RPM with theirs anyway to make future updates easier.

                            Citrix' hotfix: https://support.citrix.com/article/CTX459703

                            Test on XCP-ng 8.2

                            From an up to date host:

                            yum clean metadata --enablerepo=xcp-ng-testing
                            yum update microcode_ctl linux-firmware "xen-*" --enablerepo=xcp-ng-testing
                            reboot
                            

                            Versions:

                            • xen-*: 4.13.4-9.22.1.xcpng8.2
                            • microcode_ctl: 2:2.1-26.xs21.xcpng8.2
                            • linux-firmware: 20190314-4.xcpng8.2

                            What to test

                            Normal use and anything else you want to test. The closer to your actual use of XCP-ng, the better.

                            Test window before official release of the updates

                            ~3 days.

                            A R theAeon gskger 4 Replies Last reply Reply Quote 1
                            • A
                              Andrew Top contributor ๐Ÿ’ช @gduperrey last edited by

                              @gduperrey It's working for me, but my CPUs are not covered by the update. Normal operations seem normal.

                              1 Reply Last reply Reply Quote 2
                              • R
                                ravenet @gduperrey last edited by

                                @gduperrey Seems fine here as well under basic usage.

                                1 Reply Last reply Reply Quote 2
                                • theAeon
                                  theAeon @gduperrey last edited by theAeon

                                  @gduperrey Skylake-S Xeon here w/o patched bios, works fine so far.

                                  edit: double checked /proc/cpuinfo, seems the ucode update is applying correctly, so, yeah, it worked.

                                  1 Reply Last reply Reply Quote 2
                                  • olivierlambert
                                    olivierlambert Vates ๐Ÿช Co-Founder๐Ÿฆธ CEO ๐Ÿง‘โ€๐Ÿ’ผ last edited by

                                    Tested on my EPYC test bench (so not really relevant), but at least nothing broke ๐Ÿ™‚

                                    1 Reply Last reply Reply Quote 2
                                    • gskger
                                      gskger Top contributor ๐Ÿ’ช @gduperrey last edited by gskger

                                      @gduperrey Updated my two host playlab (Dell Optiplex 9010, Intel i5-3550 CPU). Everything works as expected, but I doubt my CPUs are relevant for the update either.

                                      I have a strange INTERNAL_ERROR((Failure "Expected string, got 'N'")) error with Xen Orchestra (from 3rd party script update to commit a1bcd) when creating a new Debian 11 VM as part of my test procedure, but I could continue with XCP-ng Center. Just found and will follow xoce INTERNAL_ERROR while trying to create VM.

                                      1 Reply Last reply Reply Quote 2
                                      • olivierlambert
                                        olivierlambert Vates ๐Ÿช Co-Founder๐Ÿฆธ CEO ๐Ÿง‘โ€๐Ÿ’ผ last edited by

                                        Yes, it's likely unrelated ๐Ÿ™‚ Thanks for the report @gskger !

                                        1 Reply Last reply Reply Quote 0
                                        • gduperrey
                                          gduperrey Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by

                                          Update released. Thanks everyone for testing!

                                          https://xcp-ng.org/blog/2022/05/16/may-2022-security-update/

                                          1 Reply Last reply Reply Quote 3
                                          • stormi
                                            stormi Vates ๐Ÿช XCP-ng Team ๐Ÿš€ last edited by

                                            New update candidate: uefistored

                                            As microsoft.com recently blocked the user agent our secureboot-certs script uses to download UEFI Secure Boot certificates from them, we took the following actions:

                                            • Documented how to download and install the certificates manually: https://xcp-ng.org/docs/guides.html#install-the-default-uefi-certificates-manually
                                            • Changed the user agent in secureboot-certs to make the automated download and installation possible again.
                                            • Added a new --user-agent parameter to secureboot-certs install to let you override the default easily in case of future need.
                                            • Improved the error message in case of download failure to 1. let users know about the --user-agent parameter and 2. provide the link towards the manual installation instructions.

                                            Test on XCP-ng 8.2

                                            From an up to date host:

                                            yum clean metadata --enablerepo=xcp-ng-testing
                                            yum update uefistored --enablerepo=xcp-ng-testing
                                            

                                            No toolstack restart or reboot needed.

                                            Versions:

                                            • uefistored: 1.1.5-1.xcpng8.2.x86_64

                                            What to test

                                            UEFI VMs. Secure Boot. Installation of certificates using secureboot-certs install: manual install, automated install with default user agent, automated install with --user-agent parameter.

                                            Test window before official release of the updates

                                            ~ 1 week. Maybe more if it allows to synchronise with other updates not too far in the future.

                                            A 1 Reply Last reply Reply Quote 2
                                            • First post
                                              Last post