DROPPED[K]: APPLIED: [SRU][v2][PATCH 0/2][j/gcp][k] sev-guest vulnerability fix + follow-up

Stefan Bader stefan.bader at canonical.com
Fri May 12 07:54:56 UTC 2023


On 12.05.23 07:53, Khaled Elmously wrote:
> Thanks for the reviews!
> 
> On 2023-05-11 03:23:54 , Khalid Elmously wrote:
>>
>> BugLink: https://bugs.launchpad.net/bugs/2013198
>>
>> "virt/sev-guest: Prevent IV reuse in the SNP guest driver" is from upstream 5.19 and
>> it fixes a vulnerability in SEV-SNP but it also introduced its own problem which was
>> fixed in "virt/coco/sev-guest: Add throttling awareness" which was merged upstream in 6.3
>>
>> Neither patch is present in the Jammmy (5.15) kernels - however, out of the 5.15 kernels they are only needed in j/gcp as this is the only 5.15 kernel that has SEV-SNP support.
>>
>> The first patch ("virt/sev-guest: Prevent IV reuse in the SNP guest driver") is already present in the Kinetic (5.19) kernel - so only the follow-up fix is needed there
>>
>> Lunar (6.2) kernels already contain both patches (the first is from 5.19, the second came from linux-stable)
>>
>>
>> Testing: Boot tested the patches in a SEV-SNP environment.
>>
>>
>> v2:
>>   - Include fixes for Kinetic (5.19) kernels
>>   - Update 'backport' section with more detail
>>
>>
>> Dionna Glaze (1):
>>    virt/coco/sev-guest: Add throttling awareness
>>
>> Peter Gonda (1):
>>    virt/sev-guest: Prevent IV reuse in the SNP guest driver
>>
>>   arch/x86/include/asm/sev-common.h     |  3 +-
>>   arch/x86/kernel/sev.c                 |  4 +-
>>   drivers/virt/coco/sevguest/sevguest.c | 95 ++++++++++++++++++++++-----
>>   3 files changed, 83 insertions(+), 19 deletions(-)
>>
>> -- 
>> 2.34.1
>>
> 

I purged this from kinetic:linux. First, it was submitted after the 
deadline and there was no communication why this should be treated with 
priority. Second, it is the owner of the kernel (or the owners team) 
that applies patches. Third, I am not convinced this is critical for 
kinetic:linux. If it is then why not the same in jammy? For the upcoming 
cycle this can be picked into kinetic:linux-gcp if it matters. For main 
we should do it consistently, with reasoning and not sneaked in behind 
our backs.
-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230512/2e0e0dfb/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230512/2e0e0dfb/attachment-0001.sig>


More information about the kernel-team mailing list