I, like many others I am sure, really appreciate your clear communication on this subject
Andy, sensible consideration of options and plans for moving forward.
Cheers,
Richard.
On 11 January 2018 22:39:44 CET, Andy Smith <andy(a)bitfolk.com> wrote:
On Thu, Jan 04, 2018 at 03:23:45PM +0000, Andy Smith
wrote:
I will post again when there is any useful
information.
https://xenbits.xen.org/xsa/advisory-254.html
A technical update follows. The non-technical version of it is:
The Xen Project have released a mitigation for one of the three bugs
("Meltdown") which I will be reviewing over the next couple of days.
They also have a different mitigation for the same bug, which they
aren't quite ready with, but I do like the sound of that one a bit
more so might end up going with that one.
It seems likely that there will be some required reboots early next
week.
The more technical version:
The Xen Project have updated the XSA notice with a mitigation for
Meltdown that involves converting all the guests so they still run
as PV mode but inside HVM containers ("Vixen"). That would mitigate
the Meltdown bug for Xen, although the guests would still need their
KPTI patches.
I don't like the HVM aspect of it but as it is what is available
now, I will spend the next couple of days looking into it, and it
may get deployed over the weekend or early next week.
The other resolution is to backport the PVHv2 Xen mode back from Xen
4.10 to 4.8 and then either use that directly (PVHv2 requires
reasonably new guest kernels) or else again run them as PV-in-PVH.
Although I prefer the sound of this, they aren't ready with it yet,
and it hasn't received as much testing yet. Vixen comes from Amazon
and is apparently what every PV-mode AWS VM is running under.
If we end up going with Vixen then host reboots won't initially be
required, as it is something that guests reboot into.
Please be aware however that on BitFolk's side there are going to be
both BIOS updates and CPU microcode updates to come, which will be
necessary for later kernel-based fixes to work, so there will
definitely be at least one set of host reboots some time soon.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting