Unverified Commit 88a7f67e authored by Emily's avatar Emily Committed by GitHub
Browse files

xen: make the EFI build mandatory, fix XSA 462 description (#347810)

parents 7f110cfc aaa4953b

pkgs/build-support/xen/default.nix

+6 −17
Original line number Diff line number Diff line
@@ -60,7 +60,6 @@ 
  branch ? lib.versions.majorMinor version,

  version,

  vendor ? "nixos",

  withEFI ? true,

  withFlask ? false,

  withSeaBIOS ? true,

  withOVMF ? true,
@@ -280,8 +279,6 @@ stdenv.mkDerivation (finalAttrs: { 


      "GIT=${coreutils}/bin/false"

      "WGET=${coreutils}/bin/false"

    ]

    ++ optionals withEFI [

      "EFI_VENDOR=${vendor}"

      "INSTALL_EFI_STRIP=1"

      "LD=${getExe' binutils-unwrapped-all-targets "ld"}"
@@ -386,8 +383,7 @@ stdenv.mkDerivation (finalAttrs: { 
    '';



  passthru = {

    efi =

      if withEFI then "boot/xen-${version}.efi" else throw "This Xen was compiled without an EFI binary.";

    efi = "boot/xen-${version}.efi";

    flaskPolicy =

      if withFlask then

        "boot/xenpolicy-${version}"
@@ -434,18 +430,11 @@ stdenv.mkDerivation (finalAttrs: { 


        Use with the `qemu_xen` package.

      ''

      # Then, if any of the optional with* components are being built, add the "Includes:" string.

      + optionalString (withEFI || withFlask) (

        "\nIncludes:"

        # Originally, this was a call for the complicated withPrefetchedSources. Since there aren't

        # that many optional components, we just use lib.strings.optionalString, because it's simpler.

        # Optional components that aren't being built are automatically hidden.

        + optionalString withEFI "\n* `xen.efi`: The Xen Project's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package."

      + "\nIncludes:\n* `xen.efi`: The Xen Project's [EFI binary](https://xenbits.xenproject.org/docs/${branch}-testing/misc/efi.html), available on the `boot` output of this package."

      + optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package."

      + optionalString withSeaBIOS "\n* `seabios`: Support for the SeaBIOS boot firmware on HVM domains."

      + optionalString withOVMF "\n* `ovmf`: Support for the OVMF UEFI boot firmware on HVM domains."

      + optionalString withIPXE "\n* `ipxe`: Support for the iPXE boot firmware on HVM domains."

      )

      # Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to.

      # This will hopefully give users the peace of mind that their Xen is secure, without needing

      # to search the source code for the XSA patches.

pkgs/build-support/xen/patches.nix

+0 −3
Original line number Diff line number Diff line
@@ -142,14 +142,11 @@ in 
      In x86's APIC (Advanced Programmable Interrupt Controller) architecture,

      error conditions are reported in a status register.  Furthermore, the OS

      can opt to receive an interrupt when a new error occurs.



      It is possible to configure the error interrupt with an illegal vector,

      which generates an error when an error interrupt is raised.



      This case causes Xen to recurse through vlapic_error().  The recursion

      itself is bounded; errors accumulate in the the status register and only

      generate an interrupt when a new status bit becomes set.



      However, the lock protecting this state in Xen will try to be taken

      recursively, and deadlock.

    '';