-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests
5 May 2021
AusCERT Security Bulletin Summary
Operating System: Xen
Impact/Access: Access Privileged Data -- Existing Account
Reduced Security -- Existing Account
CVE Names: CVE-2021-28689
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Xen Security Advisory CVE-2021-28689 / XSA-370
x86: Speculative vulnerabilities with bare (non-shim) 32-bit PV guests
UPDATES IN VERSION 2
Note that the patch is docs-only and the affected version ranges, in the
files summary of the Resolution section.
32-bit x86 PV guest kernels run in ring 1. At the time when Xen was
developed, this area of the i386 architecture was rarely used, which is why
Xen was able to use it to implement paravirtualisation, Xen's novel
approach to virtualization. In AMD64, Xen had to use a different
implementation approach, so Xen does not use ring 1 to support 64-bit
guests. With the focus now being on 64-bit systems, and the availability
of explicit hardware support for virtualization, fixing speculation issues
in ring 1 is not a priority for processor companies.
Indirect Branch Restricted Speculation (IBRS) is an architectural x86
extension put together to combat speculative execution sidechannel attacks,
including Spectre v2. It was retrofitted in microcode to existing CPUs.
For more details on Spectre v2, see:
However, IBRS does not architecturally protect ring 0 from predictions
learnt in ring 1.
For more details, see:
Similar situations may exist with other mitigations for other kinds of
speculative execution attacks. The situation is quite likely to be similar
for speculative execution attacks which have yet to be discovered,
disclosed, or mitigated.
A malicious 32-bit guest kernel may be able to mount a Spectre v2 attack
against Xen, despite the presence hardware protections being active.
It therefore might be able to infer the contents of arbitrary host memory,
including memory assigned to other guests.
Systems running all versions of Xen are affected.
Only x86 systems are vulnerable, and only CPUs which are potentially
vulnerable to Spectre v2. Consult your hardware manufacturer.
The vulnerability can only be exploited by 32-bit PV guests which are not
run in PV-Shim.
Running 32-bit PV guests under PV-Shim avoids the vulnerability when Spectre v2
protections are otherwise enabled on the system.
PV shim is available and fully security-supported in all
security-supported versions of Xen. Using shim is the recommended
Not running 32-bit PV guests avoids the vulnerability.
This issue was discovered by Jann Horn of Google Project Zero.
There is no resolution available, and none is ever expected.
The patches provided only update the security support statement.
The first patch is an unavoidable consequence of the discussions
above; the support status described is in effect immediately.
The security team does not consider the support status listed in patch
1 to be particularly useful; however, we do not feel we have the
authority to completely de-support non-shim 32-bit PV guests without
The second patch is the long-term support status the security team
proposes to the community. It will not become effective until three
weeks after the XSA-370 embargo lifts, and only if there are no
objections raised before that point.
If you need security support for un-shimmed 32-bit PV guests, please
make your voice heard on email@example.com (or to
firstname.lastname@example.org) as soon as possible after the embargo lifts.
xsa370/*.patch Xen unstable (docs only)
<no fix available> Xen (all versions)
$ sha256sum xsa370* xsa370*/*
BARE 32 BIT PV SECURITY SUPPORT STATUS
This advisory discloses only a (very serious) information disclosure
vulnerability exploitable by bare 32 bit PV guests, using speculative
We are considering further entirely withdrawing security support for
configurations with non-shim 32 bit PV guests. Any such decision,
including the precise scope of the (de)support, will be made following
public community discussion.
The result of that public process will be a patch to the security support
statement, backported (as applicable) to the relevant trees.
NOTE REGARDING EMBARGO
In principle, the fact that the new CPU facilities are not capable of
protecting ring 0 Xen from a ring 1 PV guest, might be gleaned from
the hardware vendor documentation.
Howver, in practice this docuemntation is so difficult to find and
interpret that the implications discussed in this advisory are not
recognised widely, if at all.
DEPLOYMENT DURING EMBARGO
Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).
Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable. This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)
For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
- -----BEGIN PGP SIGNATURE-----
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----