pyrox.dev / nixpkgs
lol
fork atom

xen: delete patching infrastructure, 4.19.0 -> 4.19.0-unstable-2024-11-12 (#355535)

Emily 086e523c 56fea726

options
unified split
Changed files
+18 -289
pkgs
build-support
xen
default.nix
patches.nix
by-name
ip
ipxe
package.nix
xe
xen
package.nix
+9 -115
pkgs/build-support/xen/default.nix 
···

       
7

       
7

       
 

       
  testers,


     

       
8

       
8

       
 

       
  which,


     

       
9

       
9

       
 

       
  fetchgit,


     

       
10

       

       
-

       
  fetchpatch,


     

       
11

       
10

       
 

       



     

       
12

       
11

       
 

       
  # Xen


     

       
13

       
12

       
 

       
  acpica-tools,


     
···

       
65

       
64

       
 

       
  withSeaBIOS ? true,


     

       
66

       
65

       
 

       
  withOVMF ? true,


     

       
67

       
66

       
 

       
  withIPXE ? true,


     

       
68

       

       
-

       
  useDefaultPatchList ? true,


     

       
69

       
67

       
 

       
  rev,


     

       
70

       
68

       
 

       
  hash,


     

       
71

       
69

       
 

       
  patches ? [ ],


     
···

       
73

       
71

       
 

       
}:


     

       
74

       
72

       
 

       



     

       
75

       
73

       
 

       
let


     

       
76

       

       
-

       
  # Inherit helper functions from lib and builtins.


     

       
77

       

       
-

       
  inherit (builtins) elemAt isAttrs;


     

       

       
74

       
+

       
  inherit (lib.meta) getExe';


     

       

       
75

       
+

       
  inherit (lib.lists) optional optionals;


     

       

       
76

       
+

       
  inherit (lib.systems.inspect.patterns) isLinux isAarch64;


     

       

       
77

       
+

       
  inherit (lib) teams;


     

       
78

       
78

       
 

       
  inherit (lib.strings)


     

       
79

       

       
-

       
    concatLines


     

       
80

       
79

       
 

       
    enableFeature


     

       
81

       
80

       
 

       
    makeSearchPathOutput


     

       
82

       
81

       
 

       
    optionalString


     

       
83

       

       
-

       
    removeSuffix


     

       
84

       
82

       
 

       
    versionOlder


     

       
85

       
83

       
 

       
    ;


     

       
86

       

       
-

       
  inherit (lib.platforms) linux aarch64;


     

       
87

       

       
-

       
  inherit (lib) teams;


     

       
88

       
84

       
 

       
  inherit (lib.licenses)


     

       
89

       
85

       
 

       
    cc-by-40


     

       
90

       
86

       
 

       
    gpl2Only


     

       
91

       
87

       
 

       
    lgpl21Only


     

       
92

       
88

       
 

       
    mit


     

       
93

       
89

       
 

       
    ;


     

       
94

       

       
-

       
  inherit (lib.meta) getExe';


     

       
95

       

       
-

       
  inherit (lib.lists)


     

       
96

       

       
-

       
    count


     

       
97

       

       
-

       
    flatten


     

       
98

       

       
-

       
    optional


     

       
99

       

       
-

       
    optionals


     

       
100

       

       
-

       
    range


     

       
101

       

       
-

       
    remove


     

       
102

       

       
-

       
    zipListsWith


     

       
103

       

       
-

       
    ;


     

       
104

       

       
-

       
  inherit (lib.attrsets) attrByPath;


     

       
105

       
90

       
 

       



     

       
106

       
91

       
 

       
  # Mark versions older than minSupportedVersion as EOL.


     

       
107

       
92

       
 

       
  minSupportedVersion = "4.16";


     

       
108

       
93

       
 

       



     

       
109

       

       
-

       
  ## Generic Patch Handling ##


     

       
110

       

       
-

       



     

       
111

       

       
-

       
  upstreamPatches = import ./patches.nix {


     

       
112

       

       
-

       
    inherit lib fetchpatch;


     

       
113

       

       
-

       
  };


     

       
114

       

       
-

       



     

       
115

       

       
-

       
  upstreamPatchList = flatten (


     

       
116

       

       
-

       
    with upstreamPatches;


     

       
117

       

       
-

       
    [


     

       
118

       

       
-

       
      QUBES_REPRODUCIBLE_BUILDS


     

       
119

       

       
-

       
      XSA_460


     

       
120

       

       
-

       
      XSA_461


     

       
121

       

       
-

       
      XSA_462


     

       
122

       

       
-

       
      XSA_464


     

       
123

       

       
-

       
    ]


     

       
124

       

       
-

       
  );


     

       
125

       

       
-

       



     

       
126

       

       
-

       
  ## XSA Patches Description Builder ##


     

       
127

       

       
-

       



     

       
128

       

       
-

       
  # Simple counter for the number of attrsets (patches) in the patches list after normalisation.


     

       
129

       

       
-

       
  numberOfPatches = count (patch: isAttrs patch) upstreamPatchList;


     

       
130

       

       
-

       



     

       
131

       

       
-

       
  # builtins.elemAt's index begins at 0, so we subtract 1 from the number of patches in order to


     

       
132

       

       
-

       
  # produce the range that will be used in the following builtin.map calls.


     

       
133

       

       
-

       
  availablePatchesToTry = range 0 (numberOfPatches - 1);


     

       
134

       

       
-

       



     

       
135

       

       
-

       
  # Takes in an attrByPath input, and outputs the attribute value for each patch in a list.


     

       
136

       

       
-

       
  # If a patch does not have a given attribute, returns `null`. Use lib.lists.remove null


     

       
137

       

       
-

       
  # to remove these junk values, if necessary.


     

       
138

       

       
-

       
  retrievePatchAttributes =


     

       
139

       

       
-

       
    attributeName:


     

       
140

       

       
-

       
    map (x: attrByPath attributeName null (elemAt upstreamPatchList x)) availablePatchesToTry;


     

       
141

       

       
-

       



     

       
142

       

       
-

       
  # Produces a list of newline-separated strings that lists the vulnerabilities this


     

       
143

       

       
-

       
  # Xen is NOT affected by, due to the applied Xen Security Advisory patches. This is


     

       
144

       

       
-

       
  # then used in meta.longDescription, to let users know their Xen is patched against


     

       
145

       

       
-

       
  # known vulnerabilities, as the package version isn't always the best indicator.


     

       
146

       

       
-

       
  #


     

       
147

       

       
-

       
  # Produces something like this: (one string for each XSA)


     

       
148

       

       
-

       
  #  * [Xen Security Advisory #1](https://xenbits.xenproject.org/xsa/advisory-1.html): **Title for XSA.**


     

       
149

       

       
-

       
  #  >Description of issue in XSA


     

       
150

       

       
-

       
  #Extra lines


     

       
151

       

       
-

       
  #are not indented,


     

       
152

       

       
-

       
  #but markdown should be


     

       
153

       

       
-

       
  #fine with it.


     

       
154

       

       
-

       
  #  Fixes:


     

       
155

       

       
-

       
  #  * [CVE-1999-00001](https://www.cve.org/CVERecord?id=CVE-1999-00001)


     

       
156

       

       
-

       
  #  * [CVE-1999-00002](https://www.cve.org/CVERecord?id=CVE-1999-00002)


     

       
157

       

       
-

       
  #  * [CVE-1999-00003](https://www.cve.org/CVERecord?id=CVE-1999-00003)


     

       
158

       

       
-

       
  writeAdvisoryDescription =


     

       
159

       

       
-

       
    if (remove null (retrievePatchAttributes [ "xsa" ]) != [ ]) then


     

       
160

       

       
-

       
      zipListsWith (a: b: a + b)


     

       
161

       

       
-

       
        (zipListsWith (a: b: a + "**" + b + ".**\n  >")


     

       
162

       

       
-

       
          (zipListsWith (a: b: "* [Xen Security Advisory #" + a + "](" + b + "): ")


     

       
163

       

       
-

       
            (remove null (retrievePatchAttributes [ "xsa" ]))


     

       
164

       

       
-

       
            (


     

       
165

       

       
-

       
              remove null (retrievePatchAttributes [


     

       
166

       

       
-

       
                "meta"


     

       
167

       

       
-

       
                "homepage"


     

       
168

       

       
-

       
              ])


     

       
169

       

       
-

       
            )


     

       
170

       

       
-

       
          )


     

       
171

       

       
-

       
          (


     

       
172

       

       
-

       
            remove null (retrievePatchAttributes [


     

       
173

       

       
-

       
              "meta"


     

       
174

       

       
-

       
              "description"


     

       
175

       

       
-

       
            ])


     

       
176

       

       
-

       
          )


     

       
177

       

       
-

       
        )


     

       
178

       

       
-

       
        (


     

       
179

       

       
-

       
          remove null (retrievePatchAttributes [


     

       
180

       

       
-

       
            "meta"


     

       
181

       

       
-

       
            "longDescription"


     

       
182

       

       
-

       
          ])


     

       
183

       

       
-

       
        )


     

       
184

       

       
-

       
    else


     

       
185

       

       
-

       
      [ ];


     

       
186

       

       
-

       



     

       
187

       
94

       
 

       
  #TODO: fix paths instead.


     

       
188

       
95

       
 

       
  scriptEnvPath = makeSearchPathOutput "out" "bin" [


     

       
189

       
96

       
 

       
    bridge-utils


     
···

       
205

       
112

       
 

       
in


     

       
206

       
113

       
 

       



     

       
207

       
114

       
 

       
stdenv.mkDerivation (finalAttrs: {


     

       
208

       

       
-

       
  inherit pname version;


     

       

       
115

       
+

       
  inherit pname version patches;


     

       
209

       
116

       
 

       



     

       
210

       

       
-

       
  # TODO: Split $out in $bin for binaries and $lib for libraries.


     

       
211

       

       
-

       
  # TODO: Python package to be in separate output/package.


     

       
212

       
117

       
 

       
  outputs = [


     

       
213

       
118

       
 

       
    "out"


     

       
214

       
119

       
 

       
    "man"


     
···

       
217

       
122

       
 

       
    "boot"


     

       
218

       
123

       
 

       
  ];


     

       
219

       
124

       
 

       



     

       
220

       

       
-

       
  # Main Xen source.


     

       
221

       
125

       
 

       
  src = fetchgit {


     

       
222

       
126

       
 

       
    url = "https://xenbits.xenproject.org/git-http/xen.git";


     

       
223

       
127

       
 

       
    inherit rev hash;


     

       
224

       
128

       
 

       
  };


     

       
225

       

       
-

       



     

       
226

       

       
-

       
  patches = optionals useDefaultPatchList upstreamPatchList ++ patches;


     

       
227

       
129

       
 

       



     

       
228

       
130

       
 

       
  nativeBuildInputs = [


     

       
229

       
131

       
 

       
    autoPatchelfHook


     
···

       
265

       
167

       
 

       
    "--with-system-qemu"


     

       
266

       
168

       
 

       
    (if withSeaBIOS then "--with-system-seabios=${systemSeaBIOS.firmware}" else "--disable-seabios")


     

       
267

       
169

       
 

       
    (if withOVMF then "--with-system-ovmf=${OVMF.firmware}" else "--disable-ovmf")


     

       
268

       

       
-

       
    (if withIPXE then "--with-system-ipxe=${ipxe}" else "--disable-ipxe")


     

       

       
170

       
+

       
    (if withIPXE then "--with-system-ipxe=${ipxe.firmware}" else "--disable-ipxe")


     

       
269

       
171

       
 

       
    (enableFeature withFlask "xsmpolicy")


     

       
270

       
172

       
 

       
  ];


     

       
271

       
173

       
 

       



     
···

       
436

       
338

       
 

       
      + optionalString withFlask "\n* `xsm-flask`: The [FLASK Xen Security Module](https://wiki.xenproject.org/wiki/Xen_Security_Modules_:_XSM-FLASK). The `xenpolicy-${version}` file is available on the `boot` output of this package."


     

       
437

       
339

       
 

       
      + optionalString withSeaBIOS "\n* `seabios`: Support for the SeaBIOS boot firmware on HVM domains."


     

       
438

       
340

       
 

       
      + optionalString withOVMF "\n* `ovmf`: Support for the OVMF UEFI boot firmware on HVM domains."


     

       
439

       

       
-

       
      + optionalString withIPXE "\n* `ipxe`: Support for the iPXE boot firmware on HVM domains."


     

       
440

       

       
-

       
      # Finally, we write a notice explaining which vulnerabilities this Xen is NOT vulnerable to.


     

       
441

       

       
-

       
      # This will hopefully give users the peace of mind that their Xen is secure, without needing


     

       
442

       

       
-

       
      # to search the source code for the XSA patches.


     

       
443

       

       
-

       
      + optionalString (writeAdvisoryDescription != [ ]) (


     

       
444

       

       
-

       
        "\n\nThis Xen Project Hypervisor (${version}) has been patched against the following known security vulnerabilities:\n"


     

       
445

       

       
-

       
        + removeSuffix "\n" (concatLines writeAdvisoryDescription)


     

       
446

       

       
-

       
      );


     

       

       
341

       
+

       
      + optionalString withIPXE "\n* `ipxe`: Support for the iPXE boot firmware on HVM domains.";


     

       
447

       
342

       
 

       



     

       
448

       
343

       
 

       
    homepage = "https://xenproject.org/";


     

       
449

       
344

       
 

       
    downloadPage = "https://downloads.xenproject.org/release/xen/${version}/";


     
···

       
465

       
360

       
 

       



     

       
466

       
361

       
 

       
    mainProgram = "xl";


     

       
467

       
362

       
 

       



     

       
468

       

       
-

       
    #TODO: Migrate meta.platforms to the new lib.systems.inspect.patterns.* format.


     

       
469

       

       
-

       
    platforms = linux;


     

       
470

       

       
-

       
    badPlatforms = aarch64;


     

       

       
363

       
+

       
    platforms = [ isLinux ];


     

       

       
364

       
+

       
    badPlatforms = [ isAarch64 ];


     

       
471

       
365

       
 

       
  } // meta;


     

       
472

       
366

       
 

       
})
-169
pkgs/build-support/xen/patches.nix 
···

       
1

       

       
-

       
# Patching Xen? Check the XSAs at https://xenbits.xen.org/xsa/


     

       
2

       

       
-

       
# and try applying all the ones we haven't gotten around to


     

       
3

       

       
-

       
# yet, if any are necessary. Patches from other downstreams


     

       
4

       

       
-

       
# are also welcome if they fix important issues with vanilla Xen.


     

       
5

       

       
-

       



     

       
6

       

       
-

       
{ lib, fetchpatch }:


     

       
7

       

       
-

       



     

       
8

       

       
-

       
let


     

       
9

       

       
-

       
  inherit (builtins) concatStringsSep;


     

       
10

       

       
-

       
  inherit (lib.strings) optionalString concatMapStrings;


     

       
11

       

       
-

       



     

       
12

       

       
-

       
  xsaPatch =


     

       
13

       

       
-

       
    {


     

       
14

       

       
-

       
      id,


     

       
15

       

       
-

       
      title,


     

       
16

       

       
-

       
      description,


     

       
17

       

       
-

       
      type ? "xsa",


     

       
18

       

       
-

       
      hash ? "",


     

       
19

       

       
-

       
      cve ? null,


     

       
20

       

       
-

       
    }:


     

       
21

       

       
-

       
    (fetchpatch {


     

       
22

       

       
-

       
      name = "XSA-" + id + optionalString (cve != null) ("-" + concatStringsSep "+" cve);


     

       
23

       

       
-

       
      url = "https://xenbits.xen.org/xsa/xsa${id}.patch";


     

       
24

       

       
-

       
      inherit hash;


     

       
25

       

       
-

       
      passthru = {


     

       
26

       

       
-

       
        xsa = id;


     

       
27

       

       
-

       
        inherit type;


     

       
28

       

       
-

       
      };


     

       
29

       

       
-

       
      meta = {


     

       
30

       

       
-

       
        description = title;


     

       
31

       

       
-

       
        longDescription =


     

       
32

       

       
-

       
          description


     

       
33

       

       
-

       
          + "\n"


     

       
34

       

       
-

       
          + (


     

       
35

       

       
-

       
            if (cve == null) then


     

       
36

       

       
-

       
              # Why the two spaces preceding these CVE messages?


     

       
37

       

       
-

       
              # This is parsed by writeAdvisoryDescription in generic.nix,


     

       
38

       

       
-

       
              # and doing this was easier than messing with lib.strings even more.


     

       
39

       

       
-

       
              "  _No CVE was assigned to this XSA._"


     

       
40

       

       
-

       
            else


     

       
41

       

       
-

       
              "  Fixes:${


     

       
42

       

       
-

       
                  concatMapStrings (x: "\n  * [" + x + "](https://www.cve.org/CVERecord?id=" + x + ")") cve


     

       
43

       

       
-

       
                }"


     

       
44

       

       
-

       
          );


     

       
45

       

       
-

       
        homepage = "https://xenbits.xenproject.org/xsa/advisory-${id}.html";


     

       
46

       

       
-

       
      };


     

       
47

       

       
-

       
    });


     

       
48

       

       
-

       
  qubesPatch =


     

       
49

       

       
-

       
    {


     

       
50

       

       
-

       
      name,


     

       
51

       

       
-

       
      tag,


     

       
52

       

       
-

       
      type ? "qubes",


     

       
53

       

       
-

       
      hash ? "",


     

       
54

       

       
-

       
    }:


     

       
55

       

       
-

       
    (fetchpatch {


     

       
56

       

       
-

       
      inherit name;


     

       
57

       

       
-

       
      url = "https://raw.githubusercontent.com/QubesOS/qubes-vmm-xen/v${tag}/${name}.patch";


     

       
58

       

       
-

       
      inherit hash;


     

       
59

       

       
-

       
      passthru.type = type;


     

       
60

       

       
-

       
    });


     

       
61

       

       
-

       
in


     

       
62

       

       
-

       
{


     

       
63

       

       
-

       
  # Example patches:


     

       
64

       

       
-

       
  #


     

       
65

       

       
-

       
  # "XSA_100" = xsaPatch {


     

       
66

       

       
-

       
  #   id = "100";


     

       
67

       

       
-

       
  #   title = "Verbatim Title of XSA";


     

       
68

       

       
-

       
  #   description = ''


     

       
69

       

       
-

       
  #     Verbatim description of XSA.


     

       
70

       

       
-

       
  #   '';


     

       
71

       

       
-

       
  #   cve = [ "CVE-1999-0001" "CVE-1999-0002" ]; # Not all XSAs have CVEs. This attribute is optional.


     

       
72

       

       
-

       
  #   hash = "sha256-0000000000000000000000000000000000000000000000000000";


     

       
73

       

       
-

       
  # };


     

       
74

       

       
-

       
  #


     

       
75

       

       
-

       
  # "QUBES_libxl-fix-all-issues" = qubesPatch {


     

       
76

       

       
-

       
  #   name = "1000-libxl-fix-all-issues";


     

       
77

       

       
-

       
  #   tag = "4.20.0-1";


     

       
78

       

       
-

       
  #   hash = "sha256-0000000000000000000000000000000000000000000000000000";


     

       
79

       

       
-

       
  # };


     

       
80

       

       
-

       



     

       
81

       

       
-

       
  # Build reproducibility patches for Xen.


     

       
82

       

       
-

       
  # Qubes OS has not updated them to later versions of Xen yet,


     

       
83

       

       
-

       
  # but they appear to work on Xen 4.17.4 - 4.19.0.


     

       
84

       

       
-

       
  QUBES_REPRODUCIBLE_BUILDS = [


     

       
85

       

       
-

       
    (qubesPatch {


     

       
86

       

       
-

       
      name = "1100-Define-build-dates-time-based-on-SOURCE_DATE_EPOCH";


     

       
87

       

       
-

       
      tag = "4.17.4-5";


     

       
88

       

       
-

       
      hash = "sha256-OwKA9oPTwhRcSmiOb+PxzifbO/IG8IHWlvddFh/nP6s=";


     

       
89

       

       
-

       
    })


     

       
90

       

       
-

       
    (qubesPatch {


     

       
91

       

       
-

       
      name = "1101-docs-rename-DATE-to-PANDOC_REL_DATE-and-allow-to-spe";


     

       
92

       

       
-

       
      tag = "4.17.4-5";


     

       
93

       

       
-

       
      hash = "sha256-BUtYt0mM3bURVaGv4oDznzxx1Wo4sfOpGV5GB8qc5Ns=";


     

       
94

       

       
-

       
    })


     

       
95

       

       
-

       
    (qubesPatch {


     

       
96

       

       
-

       
      name = "1102-docs-xen-headers-use-alphabetical-sorting-for-incont";


     

       
97

       

       
-

       
      tag = "4.17.4-5";


     

       
98

       

       
-

       
      hash = "sha256-mQUp2w9lUb7KDq5MuPQjs6y7iuMDeXoZjDjlXfa5z44=";


     

       
99

       

       
-

       
    })


     

       
100

       

       
-

       
  ];


     

       
101

       

       
-

       



     

       
102

       

       
-

       
  # Xen Security Advisory #460: (4.16.6 - 4.19.0)


     

       
103

       

       
-

       
  "XSA_460" = xsaPatch {


     

       
104

       

       
-

       
    id = "460";


     

       
105

       

       
-

       
    title = "Error handling in x86 IOMMU identity mapping";


     

       
106

       

       
-

       
    description = ''


     

       
107

       

       
-

       
      Certain PCI devices in a system might be assigned Reserved Memory


     

       
108

       

       
-

       
      Regions (specified via Reserved Memory Region Reporting, "RMRR") for


     

       
109

       

       
-

       
      Intel VT-d or Unity Mapping ranges for AMD-Vi.  These are typically used


     

       
110

       

       
-

       
      for platform tasks such as legacy USB emulation.


     

       
111

       

       
-

       
      Since the precise purpose of these regions is unknown, once a device


     

       
112

       

       
-

       
      associated with such a region is active, the mappings of these regions


     

       
113

       

       
-

       
      need to remain continuouly accessible by the device.  In the logic


     

       
114

       

       
-

       
      establishing these mappings, error handling was flawed, resulting in


     

       
115

       

       
-

       
      such mappings to potentially remain in place when they should have been


     

       
116

       

       
-

       
      removed again.  Respective guests would then gain access to memory


     

       
117

       

       
-

       
      regions which they aren't supposed to have access to.


     

       
118

       

       
-

       
    '';


     

       
119

       

       
-

       
    cve = [ "CVE-2024-31145" ];


     

       
120

       

       
-

       
    hash = "sha256-3q4nAP2xGEptX6BIpSlALOt2r0kjj1up5pF3xCFp+l0=";


     

       
121

       

       
-

       
  };


     

       
122

       

       
-

       
  # Xen Security Advisory #461: (4.16.6 - 4.19.0)


     

       
123

       

       
-

       
  "XSA_461" = xsaPatch {


     

       
124

       

       
-

       
    id = "461";


     

       
125

       

       
-

       
    title = "PCI device pass-through with shared resources";


     

       
126

       

       
-

       
    description = ''


     

       
127

       

       
-

       
      When multiple devices share resources and one of them is to be passed


     

       
128

       

       
-

       
      through to a guest, security of the entire system and of respective


     

       
129

       

       
-

       
      guests individually cannot really be guaranteed without knowing


     

       
130

       

       
-

       
      internals of any of the involved guests.  Therefore such a configuration


     

       
131

       

       
-

       
      cannot really be security-supported, yet making that explicit was so far


     

       
132

       

       
-

       
      missing.


     

       
133

       

       
-

       
    '';


     

       
134

       

       
-

       
    cve = [ "CVE-2024-31146" ];


     

       
135

       

       
-

       
    hash = "sha256-JQWoqf47hy9WXNkVC/LgmjUhkxN0SBF6w8PF4aFZxhM=";


     

       
136

       

       
-

       
  };


     

       
137

       

       
-

       
  # Xen Security Advisory #462: (4.16.6 - 4.19.0)


     

       
138

       

       
-

       
  "XSA_462" = xsaPatch {


     

       
139

       

       
-

       
    id = "462";


     

       
140

       

       
-

       
    title = "x86: Deadlock in vlapic_error()";


     

       
141

       

       
-

       
    description = ''


     

       
142

       

       
-

       
      In x86's APIC (Advanced Programmable Interrupt Controller) architecture,


     

       
143

       

       
-

       
      error conditions are reported in a status register.  Furthermore, the OS


     

       
144

       

       
-

       
      can opt to receive an interrupt when a new error occurs.


     

       
145

       

       
-

       
      It is possible to configure the error interrupt with an illegal vector,


     

       
146

       

       
-

       
      which generates an error when an error interrupt is raised.


     

       
147

       

       
-

       
      This case causes Xen to recurse through vlapic_error().  The recursion


     

       
148

       

       
-

       
      itself is bounded; errors accumulate in the the status register and only


     

       
149

       

       
-

       
      generate an interrupt when a new status bit becomes set.


     

       
150

       

       
-

       
      However, the lock protecting this state in Xen will try to be taken


     

       
151

       

       
-

       
      recursively, and deadlock.


     

       
152

       

       
-

       
    '';


     

       
153

       

       
-

       
    cve = [ "CVE-2024-45817" ];


     

       
154

       

       
-

       
    hash = "sha256-01lzjaT2f69UfEdTUCkm92DDOmd+Mo8sNPZsHJfgJEM=";


     

       
155

       

       
-

       
  };


     

       
156

       

       
-

       
  "XSA_464" = xsaPatch {


     

       
157

       

       
-

       
    id = "464";


     

       
158

       

       
-

       
    title = "libxl leaks data to PVH guests via ACPI tables";


     

       
159

       

       
-

       
    description = ''


     

       
160

       

       
-

       
      PVH guests have their ACPI tables constructed by the toolstack.  The


     

       
161

       

       
-

       
      construction involves building the tables in local memory, which are


     

       
162

       

       
-

       
      then copied into guest memory.  While actually used parts of the local


     

       
163

       

       
-

       
      memory are filled in correctly, excess space that is being allocated is


     

       
164

       

       
-

       
      left with its prior contents.


     

       
165

       

       
-

       
    '';


     

       
166

       

       
-

       
    cve = [ "CVE-2024-45819" ];


     

       
167

       

       
-

       
    hash = "sha256-oQa4NuX4Y1hhfnqHV6kvsJZiQ/NAz/WwO0Kidbcyayc=";


     

       
168

       

       
-

       
  };


     

       
169

       

       
-

       
}
+6 -2
pkgs/by-name/ip/ipxe/package.nix 
···

       
14

       
14

       
 

       
  embedScript ? null,


     

       
15

       
15

       
 

       
  additionalTargets ? { },


     

       
16

       
16

       
 

       
  additionalOptions ? [ ],


     

       

       
17

       
+

       
  firmwareBinary ? "ipxe.efirom",


     

       
17

       
18

       
 

       
}:


     

       
18

       
19

       
 

       



     

       
19

       
20

       
 

       
let


     
···

       
130

       
131

       
 

       



     

       
131

       
132

       
 

       
  enableParallelBuilding = true;


     

       
132

       
133

       
 

       



     

       
133

       

       
-

       
  passthru.updateScript = unstableGitUpdater {


     

       
134

       

       
-

       
    tagPrefix = "v";


     

       

       
134

       
+

       
  passthru = {


     

       

       
135

       
+

       
    firmware = "${finalAttrs.finalPackage}/${firmwareBinary}";


     

       

       
136

       
+

       
    updateScript = unstableGitUpdater {


     

       

       
137

       
+

       
      tagPrefix = "v";


     

       

       
138

       
+

       
    };


     

       
135

       
139

       
 

       
  };


     

       
136

       
140

       
 

       



     

       
137

       
141

       
 

       
  meta = {
+3 -3
pkgs/by-name/xe/xen/package.nix 
···

       
5

       
5

       
 

       



     

       
6

       
6

       
 

       
buildXenPackage.override { inherit python3Packages; } {


     

       
7

       
7

       
 

       
  pname = "xen";


     

       
8

       

       
-

       
  version = "4.19.0";


     

       
9

       

       
-

       
  rev = "026c9fa29716b0ff0f8b7c687908e71ba29cf239";


     

       
10

       

       
-

       
  hash = "sha256-Q6x+2fZ4ITBz6sKICI0NHGx773Rc919cl+wzI89UY+Q=";


     

       

       
8

       
+

       
  version = "4.19.0-unstable-2024-11-12";


     

       

       
9

       
+

       
  rev = "251a9496485a86f302980a3f8d3c656831b5a62f";


     

       

       
10

       
+

       
  hash = "sha256-kHuB6kagH3AU+Wsx4oD7HnNsZpxCu7x3v/m4/1xi6lY=";


     

       
11

       
11

       
 

       
}