QEMU HW mitigations support (ARCH_CAPABILITIES)
New QEMU version for Ubuntu Disco, supporting CascadeLake/IceLake, IA32_ARCH_CAPABILITIES MSR, thus the following HW mitigations:
- IBRS_ALL (enhanced IBRS support)
- SKIP_L1DFL_VMENTRY (L1D flush is needed on VMENTRY)
- RDCL_NO (HW is vulnerable to Rogue Data Cache Load)
- Foreshadow-NG (OS) vuln. (L1 terminal fault, OS)
- Foreshadow-NG (VMM) vuln. (L1 terminal fault, VMM)
Is already in disco-proposed (1:3.1+dfsg-2ubuntu3.3). Anyone willing to test it can install packages from the -proposed pocket and open bugs if needed. We haven’t provided official instructions yet, but, you can follow the MDS instructions (https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/MDS) to enable specific CPU capabilities (disabled by default). We’re still working on the libvirt support for those.
- QEMU s390x secure boot toleration feature (by @paelzer)
reviewed merge requests - #1 | #2 | #3 - for s390x secure Linux boot toleration QEMU patches. Using s390-tools from Eoan makes it possible to burn IPL stages with signed kernels. This toleration patches allow QEMU to IPL those burned “scsi” (vda) disks.
- CTDB NFS HA Enablement
LP: #722201 | DOC | PPA | Disco MR | Debian MR
The merge request was done against Ubuntu Disco, bringing all fixes done in Eoan to Disco. I’m waiting code to be uploaded and accepted by the SRU team in order to provide verification tests in public bug (PPA contains the CTDB NFS HA capable samba/ctdb package).
- Pacemaker and Corosync
Eoan Migrations | kronosnet
Corosync merges are blocked by regressions. Corosync depends on libknet1 now, included in [universe] pocket. We’ve asked for a MIR and it has been accepted. We’re waiting an archive admin to migrate packages to [main]. This will satisfy merge done for Corosync. It is already merged to latest upstream version (3.0.1-2).
Corosync and Pacemaker
Pacemaker merges are blocked by a alleged regression for armhf architecture. Explanations of what could be happening are here and it is possible that we force-badtest to armhf for corosync/pacemaker since armhf container limits are stepping in our way here.
** OTHER **