diff --git a/README.markdown b/README.markdown index 4a1e070..08d374b 100644 --- a/README.markdown +++ b/README.markdown @@ -130,6 +130,19 @@ users via a login shell you can have a look at the (currently unmaintained) [xen-shell](https://xen-tools.org/software/xen-shell/) project. +### Caveats + +For security reasons (avoid risk to circumvent ASLR), recent kernels +have disabled the `vsyscall` mapping. Unfortunately older +distributions don't run and hence can't be bootstrapped without it. + +To enable trapping and enabling emulate calls into the fixed +vsyscall address mapping and hence to run and bootstrap older Linux +distributions in a chroot (as xen-tools does), you need to add +`vsyscall=emulate` to the kernel commandline, e.g. by adding it to +`GRUB_CMDLINE_LINUX_DEFAULT` in `/etc/default/grub`, then running +`update-grub` afterwards and finally reboot. + Installation ------------ diff --git a/TODO.markdown b/TODO.markdown index d0d7774..05f3977 100644 --- a/TODO.markdown +++ b/TODO.markdown @@ -55,6 +55,10 @@ Bugs to fix and features to add for 5.0 `xen-create-image` first. Which probably both would be a good idea. +* Maybe check for `vsyscall=emulate` in `GRUB_CMDLINE_LINUX_DEFAULT` + in `/etc/default/grub` if trying to install an affected Linux + distribution. + Stuff from Steve's TODO list / Generic TODOs -------------------------------------------- diff --git a/debian/NEWS b/debian/NEWS index 6d68b11..e576d6c 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,18 @@ +xen-tools (4.8-1) unstable; urgency=medium + + For security reasons (avoid risk to circumvent ASLR), recent + kernels have disabled the vsyscall mapping. Unfortunately older + distributions don't run and hence can't be bootstrapped without it. + + To enable trapping and enabling emulate calls into the fixed + vsyscall address mapping and hence to run and bootstrap older Linux + distributions in a chroot (as xen-tools does), you need to add + "vsyscall=emulate" to the kernel commandline, e.g. by adding it to + GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub, then running + "update-grub" afterwards and finally reboot. + + -- Axel Beckert Thu, 07 Feb 2019 17:40:03 +0100 + xen-tools (4.4~beta1-1) unstable; urgency=low * Exported environment variables no more contain dashes ("-"). Dashes in diff --git a/debian/changelog b/debian/changelog index b37beac..8dba93a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -56,6 +56,8 @@ xen-tools (4.8-1) UNRELEASED; urgency=medium xen-tools package also on older Debian or Ubuntu releases. * Suggest grub-xen-host despite the proper support for it is not finished. + * Add a note about "vsyscall=emulate" and older Linux distributions to + debian/NEWS. Thanks to James Clarke and Jason Crain for the hint! [ Jelmer Vernooij ] * Trim trailing whitespace from debian/changelog. (GH #54)