app-emulation/xen: add patches for 4.12

Fix Xen security bugs
  CVE-2020-{11739,11740,11741,11742,11743}

Bug: https://bugs.gentoo.org/717446
Closes: https://github.com/gentoo/gentoo/pull/15343
Signed-off-by: Tomáš Mózes <hydrapolic@gmail.com>
Signed-off-by: Yixun Lan <dlan@gentoo.org>

diff --git a/app-emulation/xen/Manifest b/app-emulation/xen/Manifest
index 14e471c8015c419fe5c93dbf109ec71cee9ac028..6021a3253e2fb426282ff5f719ef5a9fb738604c 100644 (file)
--- a/app-emulation/xen/Manifest
+++ b/app-emulation/xen/Manifest
@@ -1,4 +1,5 @@
 DIST xen-4.12.2-upstream-patches-1.tar.xz 17016 BLAKE2B 5bd27f6187c13b1c4792aa81c0ca8cde0d687566e0fde322e7cb249e1c8665fca0def5a137493a04598b617c46f052cf69701257ea1b97823fd1534d94cabd8f SHA512 dab5e7a3ac1a82faff3069f07945dc0b9651f90e8e87b3c342bb98a06ac244d212dc0baf8c7f1997f285b06baca9dc57d4823bfb220ca34274bd3d6d31421b02
+DIST xen-4.12.2-upstream-patches-2.tar.xz 34484 BLAKE2B 79799a2fa9e638adf80ff1b5a1609b28747dad254da2e8ebd94afd75d5b7c061d25d507e7d388af17905347e180537dec8d0e27bd18cf6c53f51f7272d4adafe SHA512 abf9d82fe20fc9411384283876cf020a31e6c22ab2e54a7fae0d95ade02f434e4afb08d47c3ed5e4bc7ea5f518df7dc57baef2b8e76e3439bd937e2ee3c2b658
 DIST xen-4.12.2.tar.gz 26985135 BLAKE2B 530821011a6dd0ac0a99fb135ff5311eb8e975c3791818093b5e250eed7854d153de6d4340197f9b949c0ad2c3d7b2b7180deb42bc71748ff70ff6fad195269d SHA512 7d9e7921271830c9eadf1bb8eca1aec20d343ad7475b0dc3165ef6d681759e7cb70739f8d9f85622a23aef960988820e822267fb198b12ee3dd657ad6164069f
 DIST xen-4.13.0-upstream-patches-1.tar.xz 26000 BLAKE2B 0ab884f4b64f318c256d1959fde34da85e85a1d6974f00001125e29838f3f7d9b06ff767dff437635648eed1449976ff88250cbe141e9175d4430135e8923667 SHA512 f37514bf7ad92f8d8be798129c446fe9ec0d409e904f6b4971f07dd8b899dd20f40424a72106d7c50da83fed1f7097c575fbdeee06e18f9f4255bf6b2a71f08a
 DIST xen-4.13.0.tar.gz 39005191 BLAKE2B cd85bfe549e20447afb8ec6b2ab33ea1893f45392c08737730d7898706748ebb96b2e842b2ff3e4af8c5d8a705e6d25a2bfb8acf0d7cc771805d0cc97757a949 SHA512 5b2ded9a2fe3f7ddf40eed1fa9858baead06233a01eb6099cc45b3c78b6c3823acfe7b731910733e87125dfa49d08c53f74c215fb1b320a92b44b87a0a105225

diff --git a/app-emulation/xen/xen-4.12.2-r2.ebuild b/app-emulation/xen/xen-4.12.2-r2.ebuild
new file mode 100644 (file)
index 0000000..8c905ea
--- /dev/null
+++ b/app-emulation/xen/xen-4.12.2-r2.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+PYTHON_COMPAT=( python2_7 )
+
+inherit flag-o-matic mount-boot multilib python-any-r1 toolchain-funcs
+
+MY_PV=${PV/_/-}
+MY_P=${PN}-${MY_PV}
+
+if [[ $PV == *9999 ]]; then
+       inherit git-r3
+       EGIT_REPO_URI="git://xenbits.xen.org/xen.git"
+       SRC_URI=""
+else
+       KEYWORDS="~amd64 ~arm -x86"
+       UPSTREAM_VER=2
+       SECURITY_VER=
+       GENTOO_VER=
+
+       [[ -n ${UPSTREAM_VER} ]] && \
+               UPSTREAM_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz
+               https://github.com/hydrapolic/gentoo-dist/raw/master/xen/${P}-upstream-patches-${UPSTREAM_VER}.tar.xz"
+       [[ -n ${SECURITY_VER} ]] && \
+               SECURITY_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-security-patches-${SECURITY_VER}.tar.xz"
+       [[ -n ${GENTOO_VER} ]] && \
+               GENTOO_PATCHSET_URI="https://dev.gentoo.org/~dlan/distfiles/${PN}-gentoo-patches-${GENTOO_VER}.tar.xz"
+       SRC_URI="https://downloads.xenproject.org/release/xen/${MY_PV}/${MY_P}.tar.gz
+               ${UPSTREAM_PATCHSET_URI}
+               ${SECURITY_PATCHSET_URI}
+               ${GENTOO_PATCHSET_URI}"
+fi
+
+DESCRIPTION="The Xen virtual machine monitor"
+HOMEPAGE="https://www.xenproject.org"
+LICENSE="GPL-2"
+SLOT="0"
+IUSE="debug efi flask"
+
+DEPEND="${PYTHON_DEPS}
+       efi? ( >=sys-devel/binutils-2.22[multitarget] )
+       !efi? ( >=sys-devel/binutils-2.22 )"
+RDEPEND=""
+PDEPEND="~app-emulation/xen-tools-${PV}"
+
+# no tests are available for the hypervisor
+# prevent the silliness of /usr/lib/debug/usr/lib/debug files
+# prevent stripping of the debug info from the /usr/lib/debug/xen-syms
+RESTRICT="test splitdebug strip"
+
+# Approved by QA team in bug #144032
+QA_WX_LOAD="boot/xen-syms-${PV}"
+
+REQUIRED_USE="arm? ( debug )"
+
+S="${WORKDIR}/${MY_P}"
+
+pkg_setup() {
+       python-any-r1_pkg_setup
+       if [[ -z ${XEN_TARGET_ARCH} ]]; then
+               if use amd64; then
+                       export XEN_TARGET_ARCH="x86_64"
+               elif use arm; then
+                       export XEN_TARGET_ARCH="arm32"
+               elif use arm64; then
+                       export XEN_TARGET_ARCH="arm64"
+               else
+                       die "Unsupported architecture!"
+               fi
+       fi
+
+       if use flask ; then
+               export "XSM_ENABLE=y"
+               export "FLASK_ENABLE=y"
+       fi
+}
+
+src_prepare() {
+       # Upstream's patchset
+       [[ -n ${UPSTREAM_VER} ]] && eapply "${WORKDIR}"/patches-upstream
+
+       # Security patchset
+       if [[ -n ${SECURITY_VER} ]]; then
+       einfo "Try to apply Xen Security patch set"
+               # apply main xen patches
+               # Two parallel systems, both work side by side
+               # Over time they may concdense into one. This will suffice for now
+               source "${WORKDIR}"/patches-security/${PV}.conf
+
+               local i
+               for i in ${XEN_SECURITY_MAIN}; do
+                       eapply "${WORKDIR}"/patches-security/xen/$i
+               done
+       fi
+
+       # Gentoo's patchset
+       [[ -n ${GENTOO_VER} ]] && eapply "${WORKDIR}"/patches-gentoo
+
+       eapply "${FILESDIR}"/${PN}-4.11-efi.patch
+
+       # Drop .config
+       sed -e '/-include $(XEN_ROOT)\/.config/d' -i Config.mk || die "Couldn't drop"
+
+       if use efi; then
+               export EFI_VENDOR="gentoo"
+               export EFI_MOUNTPOINT="/boot"
+       fi
+
+       default
+}
+
+src_configure() {
+       use arm && myopt="${myopt} CONFIG_EARLY_PRINTK=sun7i"
+
+       use debug && myopt="${myopt} debug=y"
+
+       # remove flags
+       unset CFLAGS
+       unset LDFLAGS
+       unset ASFLAGS
+
+       tc-ld-disable-gold # Bug 700374
+}
+
+src_compile() {
+       # Send raw LDFLAGS so that --as-needed works
+       emake V=1 CC="$(tc-getCC)" LDFLAGS="$(raw-ldflags)" LD="$(tc-getLD)" -C xen ${myopt}
+}
+
+src_install() {
+       local myopt
+       use debug && myopt="${myopt} debug=y"
+
+       # The 'make install' doesn't 'mkdir -p' the subdirs
+       if use efi; then
+               mkdir -p "${D}"${EFI_MOUNTPOINT}/efi/${EFI_VENDOR} || die
+       fi
+
+       emake LDFLAGS="$(raw-ldflags)" DESTDIR="${D}" -C xen ${myopt} install
+
+       # make install likes to throw in some extra EFI bits if it built
+       use efi || rm -rf "${D}/usr/$(get_libdir)/efi"
+}
+
+pkg_postinst() {
+       elog "Official Xen Guide:"
+       elog " https://wiki.gentoo.org/wiki/Xen"
+
+       use efi && einfo "The efi executable is installed in /boot/efi/gentoo"
+
+       elog "You can optionally block the installation of /boot/xen-syms by an entry"
+       elog "in folder /etc/portage/env using the portage's feature INSTALL_MASK"
+       elog "e.g. echo ${msg} > /etc/portage/env/xen.conf"
+
+       ewarn
+       ewarn "Xen 4.12+ changed the default scheduler to credit2 which can cause"
+       ewarn "domU lockups on multi-cpu systems. The legacy credit scheduler seems"
+       ewarn "to work fine."
+       ewarn
+       ewarn "Add sched=credit to xen command line options to use the legacy scheduler."
+       ewarn
+       ewarn "https://wiki.gentoo.org/wiki/Xen#Xen_domU_hanging_with_Xen_4.12.2B"
+}