diff --git a/531d8e34-x86-HVM-consolidate-passthrough-handling-in-epte_get_entry_emt.patch b/531d8e34-x86-HVM-consolidate-passthrough-handling-in-epte_get_entry_emt.patch
index 8552bb9..c86a6f4 100644
--- a/531d8e34-x86-HVM-consolidate-passthrough-handling-in-epte_get_entry_emt.patch
+++ b/531d8e34-x86-HVM-consolidate-passthrough-handling-in-epte_get_entry_emt.patch
@@ -19,9 +19,21 @@ Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: "Xu, Dongxiao" <dongxiao.xu@intel.com>
Acked-by: Keir Fraser <keir@xen.org>
+# Commit 1f8b57779785bf9f55c16312bb1ec679929c314b
+# Date 2014-03-28 13:43:25 +0100
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+x86/EPT: relax treatment of APIC MFN
+
+There's no point in this being mapped UC by the guest due to using a
+respective PAT index - set the ignore-PAT flag to true.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
--- a/xen/arch/x86/hvm/mtrr.c
+++ b/xen/arch/x86/hvm/mtrr.c
-@@ -698,14 +698,20 @@ uint8_t epte_get_entry_emt(struct domain
+@@ -698,14 +698,24 @@ uint8_t epte_get_entry_emt(struct domain
if ( hvm_get_mem_pinned_cacheattr(d, gfn, &type) )
return type;
@@ -39,8 +51,12 @@ Acked-by: Keir Fraser <keir@xen.org>
if ( direct_mmio )
- return MTRR_TYPE_UNCACHABLE;
-+ return mfn_x(mfn) != d->arch.hvm_domain.vmx.apic_access_mfn
-+ ? MTRR_TYPE_UNCACHABLE : MTRR_TYPE_WRBACK;
++ {
++ if ( mfn_x(mfn) != d->arch.hvm_domain.vmx.apic_access_mfn )
++ return MTRR_TYPE_UNCACHABLE;
++ *ipat = 1;
++ return MTRR_TYPE_WRBACK;
++ }
if ( iommu_snoop )
{
diff --git a/53206661-pygrub-support-linux16-and-initrd16.patch b/53206661-pygrub-support-linux16-and-initrd16.patch
new file mode 100644
index 0000000..bf4f89a
--- /dev/null
+++ b/53206661-pygrub-support-linux16-and-initrd16.patch
@@ -0,0 +1,165 @@
+Subject: xen/pygrub: grub2/grub.cfg from RHEL 7 has new commands in menuentry
+From: Joby Poriyath joby.poriyath@citrix.com Tue Feb 4 18:10:35 2014 +0000
+Date: Wed Mar 12 13:51:29 2014 +0000:
+Git: dd03048708af072374963d6d0721cc6d4c5f52cf
+
+menuentry in grub2/grub.cfg uses linux16 and initrd16 commands
+instead of linux and initrd. Due to this RHEL 7 (beta) guest failed to
+boot after the installation.
+
+In addition to this, RHEL 7 menu entries have two different single-quote
+delimited strings on the same line, and the greedy grouping for menuentry
+parsing gets both strings, and the options inbetween.
+
+Signed-off-by: Joby Poriyath <joby.poriyath@citrix.com>
+Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+Cc: george.dunlap@citrix.com
+
+diff --git a/tools/pygrub/examples/rhel-7-beta.grub2 b/tools/pygrub/examples/rhel-7-beta.grub2
+new file mode 100644
+index 0000000..88f0f99
+--- /dev/null
++++ b/tools/pygrub/examples/rhel-7-beta.grub2
+@@ -0,0 +1,118 @@
++#
++# DO NOT EDIT THIS FILE
++#
++# It is automatically generated by grub2-mkconfig using templates
++# from /etc/grub.d and settings from /etc/default/grub
++#
++
++### BEGIN /etc/grub.d/00_header ###
++set pager=1
++
++if [ -s $prefix/grubenv ]; then
++ load_env
++fi
++if [ "${next_entry}" ] ; then
++ set default="${next_entry}"
++ set next_entry=
++ save_env next_entry
++ set boot_once=true
++else
++ set default="${saved_entry}"
++fi
++
++if [ x"${feature_menuentry_id}" = xy ]; then
++ menuentry_id_option="--id"
++else
++ menuentry_id_option=""
++fi
++
++export menuentry_id_option
++
++if [ "${prev_saved_entry}" ]; then
++ set saved_entry="${prev_saved_entry}"
++ save_env saved_entry
++ set prev_saved_entry=
++ save_env prev_saved_entry
++ set boot_once=true
++fi
++
++function savedefault {
++ if [ -z "${boot_once}" ]; then
++ saved_entry="${chosen}"
++ save_env saved_entry
++ fi
++}
++
++function load_video {
++ if [ x$feature_all_video_module = xy ]; then
++ insmod all_video
++ else
++ insmod efi_gop
++ insmod efi_uga
++ insmod ieee1275_fb
++ insmod vbe
++ insmod vga
++ insmod video_bochs
++ insmod video_cirrus
++ fi
++}
++
++terminal_output console
++set timeout=5
++### END /etc/grub.d/00_header ###
++
++### BEGIN /etc/grub.d/10_linux ###
++menuentry 'Red Hat Enterprise Linux Everything, with Linux 3.10.0-54.0.1.el7.x86_64' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-3.10.0-54.0.1.el7.x86_64-advanced-d23b8b49-4cfe-4900-8ef1-ec80bc633163' {
++ load_video
++ set gfxpayload=keep
++ insmod gzio
++ insmod part_msdos
++ insmod xfs
++ set root='hd0,msdos1'
++ if [ x$feature_platform_search_hint = xy ]; then
++ search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 89ffef78-82b3-457c-bc57-42cccc373851
++ else
++ search --no-floppy --fs-uuid --set=root 89ffef78-82b3-457c-bc57-42cccc373851
++ fi
++ linux16 /vmlinuz-3.10.0-54.0.1.el7.x86_64 root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/swap vconsole.keymap=uk crashkernel=auto rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16 LANG=en_GB.UTF-8
++ initrd16 /initramfs-3.10.0-54.0.1.el7.x86_64.img
++}
++menuentry 'Red Hat Enterprise Linux Everything, with Linux 0-rescue-af34f0b8cf364cdbbe6d093f8228a37f' --class red --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-0-rescue-af34f0b8cf364cdbbe6d093f8228a37f-advanced-d23b8b49-4cfe-4900-8ef1-ec80bc633163' {
++ load_video
++ insmod gzio
++ insmod part_msdos
++ insmod xfs
++ set root='hd0,msdos1'
++ if [ x$feature_platform_search_hint = xy ]; then
++ search --no-floppy --fs-uuid --set=root --hint='hd0,msdos1' 89ffef78-82b3-457c-bc57-42cccc373851
++ else
++ search --no-floppy --fs-uuid --set=root 89ffef78-82b3-457c-bc57-42cccc373851
++ fi
++ linux16 /vmlinuz-0-rescue-af34f0b8cf364cdbbe6d093f8228a37f root=/dev/mapper/rhel-root ro rd.lvm.lv=rhel/swap vconsole.keymap=uk crashkernel=auto rd.lvm.lv=rhel/root vconsole.font=latarcyrheb-sun16
++ initrd16 /initramfs-0-rescue-af34f0b8cf364cdbbe6d093f8228a37f.img
++}
++
++### END /etc/grub.d/10_linux ###
++
++### BEGIN /etc/grub.d/20_linux_xen ###
++### END /etc/grub.d/20_linux_xen ###
++
++### BEGIN /etc/grub.d/20_ppc_terminfo ###
++### END /etc/grub.d/20_ppc_terminfo ###
++
++### BEGIN /etc/grub.d/30_os-prober ###
++### END /etc/grub.d/30_os-prober ###
++
++### BEGIN /etc/grub.d/40_custom ###
++# This file provides an easy way to add custom menu entries. Simply type the
++# menu entries you want to add after this comment. Be careful not to change
++# the 'exec tail' line above.
++### END /etc/grub.d/40_custom ###
++
++### BEGIN /etc/grub.d/41_custom ###
++if [ -f ${config_directory}/custom.cfg ]; then
++ source ${config_directory}/custom.cfg
++elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then
++ source $prefix/custom.cfg;
++fi
++### END /etc/grub.d/41_custom ###
+diff --git a/tools/pygrub/src/GrubConf.py b/tools/pygrub/src/GrubConf.py
+index cb853c9..974cded 100644
+--- a/tools/pygrub/src/GrubConf.py
++++ b/tools/pygrub/src/GrubConf.py
+@@ -348,7 +348,9 @@ class Grub2Image(_GrubImage):
+
+ commands = {'set:root': 'root',
+ 'linux': 'kernel',
++ 'linux16': 'kernel',
+ 'initrd': 'initrd',
++ 'initrd16': 'initrd',
+ 'echo': None,
+ 'insmod': None,
+ 'search': None}
+@@ -394,7 +396,7 @@ class Grub2ConfigFile(_GrubConfigFile):
+ continue
+
+ # new image
+- title_match = re.match('^menuentry ["\'](.*)["\'] (.*){', l)
++ title_match = re.match('^menuentry ["\'](.*?)["\'] (.*){', l)
+ if title_match:
+ if img is not None:
+ raise RuntimeError, "syntax error: cannot nest menuentry (%d %s)" % (len(img),img)
diff --git a/53299d8f-xenconsole-reset-tty-on-failure.patch b/53299d8f-xenconsole-reset-tty-on-failure.patch
new file mode 100644
index 0000000..be70997
--- /dev/null
+++ b/53299d8f-xenconsole-reset-tty-on-failure.patch
@@ -0,0 +1,54 @@
+Subject: tools/console: reset tty when xenconsole fails
+From: Ian Jackson ian.jackson@eu.citrix.com Mon Feb 24 15:16:19 2014 +0000
+Date: Wed Mar 19 13:37:19 2014 +0000:
+Git: 111931f36885874103d65685ab15ea3d25d93da7
+
+If xenconsole (the client program) fails, it calls err. This would
+previously neglect to reset the user's terminal to sanity. Use atexit
+to do so.
+
+This routinely happens in Xen 4.4 RC5 with pygrub because libxl
+writes the value "" to the tty xenstore key when using xenconsole.
+After this patch this just results in a harmless error message.
+
+Reported-by: M A Young <m.a.young@durham.ac.uk>
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+CC: M A Young <m.a.young@durham.ac.uk>
+CC: Ian Campbell <Ian.Campbell@citrix.com>
+Acked-by: George Dunlap <george.dunlap@eu.citrix.com>
+Acked-by: Ian Campbell <ian.campbell@citrix.com>
+
+---
+v2: Fix whitespace error (reintroduce hard tab)
+ Fix commit message not to claim ignorance about root cause
+
+Index: xen-4.4.0-testing/tools/console/client/main.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/console/client/main.c
++++ xen-4.4.0-testing/tools/console/client/main.c
+@@ -258,6 +258,13 @@ typedef enum {
+ CONSOLE_SERIAL,
+ } console_type;
+
++static struct termios stdin_old_attr;
++
++static void restore_term_stdin(void)
++{
++ restore_term(STDIN_FILENO, &stdin_old_attr);
++}
++
+ int main(int argc, char **argv)
+ {
+ struct termios attr;
+@@ -384,9 +391,9 @@ int main(int argc, char **argv)
+ }
+
+ init_term(spty, &attr);
+- init_term(STDIN_FILENO, &attr);
++ init_term(STDIN_FILENO, &stdin_old_attr);
++ atexit(restore_term_stdin); /* if this fails, oh dear */
+ console_loop(spty, xs, path);
+- restore_term(STDIN_FILENO, &attr);
+
+ free(path);
+ free(dom_path);
diff --git a/53299d8f-xenconsole-tolerate-tty-errors.patch b/53299d8f-xenconsole-tolerate-tty-errors.patch
new file mode 100644
index 0000000..0406c8c
--- /dev/null
+++ b/53299d8f-xenconsole-tolerate-tty-errors.patch
@@ -0,0 +1,49 @@
+Subject: tools/console: xenconsole tolerate tty errors
+From: Ian Jackson ian.jackson@eu.citrix.com Thu Feb 27 17:46:49 2014 +0000
+Date: Wed Mar 19 13:37:19 2014 +0000:
+Git: 39ba2989b10b6a1852e253b204eb010f8e7026f1
+
+Since 28d386fc4341 (XSA-57), libxl writes an empty value for the
+console tty node, with read-only permission for the guest, when
+setting up pv console "frontends". (The actual tty value is later set
+by xenconsoled.) Writing an empty node is not strictly necessary to
+stop the frontend from writing dangerous values here, but it is a good
+belt-and-braces approach.
+
+Unfortunately this confuses xenconsole. It reads the empty value, and
+tries to open it as the tty. xenconsole then exits.
+
+Fix this by having xenconsole treat an empty value the same way as no
+value at all.
+
+Also, make the error opening the tty be nonfatal: we just print a
+warning, but do not exit. I think this is helpful in theoretical
+situations where xenconsole is racing with libxl and/or xenconsoled.
+
+Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
+Acked-by: Ian Campbell <Ian.Campbell@citrix.com>
+CC: George Dunlap <george.dunlap@eu.citrix.com>
+
+---
+v2: Combine two conditions and move the free
+
+Index: xen-4.4.0-testing/tools/console/client/main.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/console/client/main.c
++++ xen-4.4.0-testing/tools/console/client/main.c
+@@ -115,12 +115,12 @@ static int get_pty_fd(struct xs_handle *
+ /* We only watch for one thing, so no need to
+ * disambiguate: just read the pty path */
+ pty_path = xs_read(xs, XBT_NULL, path, &len);
+- if (pty_path != NULL) {
++ if (pty_path != NULL && pty_path[0] != '\0') {
+ pty_fd = open(pty_path, O_RDWR | O_NOCTTY);
+ if (pty_fd == -1)
+- err(errno, "Could not open tty `%s'", pty_path);
+- free(pty_path);
++ warn("Could not open tty `%s'", pty_path);
+ }
++ free(pty_path);
+ }
+ } while (pty_fd == -1 && (now = time(NULL)) < start + seconds);
+
diff --git a/532fff53-x86-fix-determination-of-bit-count-for-struct-domain-allocations.patch b/532fff53-x86-fix-determination-of-bit-count-for-struct-domain-allocations.patch
new file mode 100644
index 0000000..e21750e
--- /dev/null
+++ b/532fff53-x86-fix-determination-of-bit-count-for-struct-domain-allocations.patch
@@ -0,0 +1,57 @@
+# Commit b3d2f8b2cba9fce5bc8995612d0d13fcefec7769
+# Date 2014-03-24 10:48:03 +0100
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+x86: fix determination of bit count for struct domain allocations
+
+We can't just add in the hole shift value, as the hole may be at or
+above the 44-bit boundary. Instead we need to determine the total bit
+count until reaching 32 significant (not squashed out) bits in PFN
+representations.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Acked-by: Keir Fraser <keir@xen.org>
+
+--- a/xen/arch/x86/domain.c
++++ b/xen/arch/x86/domain.c
+@@ -180,6 +180,28 @@ void dump_pageframe_info(struct domain *
+ spin_unlock(&d->page_alloc_lock);
+ }
+
++/*
++ * The hole may be at or above the 44-bit boundary, so we need to determine
++ * the total bit count until reaching 32 significant (not squashed out) bits
++ * in PFN representations.
++ * Note that the way "bits" gets initialized/updated/bounds-checked guarantees
++ * that the function will never return zero, and hence will never be called
++ * more than once (which is important due to it being deliberately placed in
++ * .init.text).
++ */
++static unsigned int __init noinline _domain_struct_bits(void)
++{
++ unsigned int bits = 32 + PAGE_SHIFT;
++ unsigned int sig = hweight32(~pfn_hole_mask);
++ unsigned int mask = pfn_hole_mask >> 32;
++
++ for ( ; bits < BITS_PER_LONG && sig < 32; ++bits, mask >>= 1 )
++ if ( !(mask & 1) )
++ ++sig;
++
++ return bits;
++}
++
+ struct domain *alloc_domain_struct(void)
+ {
+ struct domain *d;
+@@ -187,7 +209,10 @@ struct domain *alloc_domain_struct(void)
+ * We pack the PDX of the domain structure into a 32-bit field within
+ * the page_info structure. Hence the MEMF_bits() restriction.
+ */
+- unsigned int bits = 32 + PAGE_SHIFT + pfn_pdx_hole_shift;
++ static unsigned int __read_mostly bits;
++
++ if ( unlikely(!bits) )
++ bits = _domain_struct_bits();
+
+ BUILD_BUG_ON(sizeof(*d) > PAGE_SIZE);
+ d = alloc_xenheap_pages(0, MEMF_bits(bits));
diff --git a/xsa89.patch b/5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_mem_access.patch
similarity index 92%
rename from xsa89.patch
rename to 5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_mem_access.patch
index 36d8b71..2d91aeb 100644
--- a/xsa89.patch
+++ b/5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_mem_access.patch
@@ -1,9 +1,15 @@
+References: bnc#867910 CVE-2014-2599 XSA-89
+
+# Commit 0fe53c4f279e1a8ef913e71ed000236d21ce96de
+# Date 2014-03-25 15:23:57 +0100
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
x86: enforce preemption in HVM_set_mem_access / p2m_set_mem_access()
Processing up to 4G PFNs may take almost arbitrarily long, so
preemption is needed here.
-This is XSA-89.
+This is CVE-2014-2599 / XSA-89.
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Tim Deegan <tim@xen.org>
diff --git a/53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch b/53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch
new file mode 100644
index 0000000..5942d61
--- /dev/null
+++ b/53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch
@@ -0,0 +1,141 @@
+# Commit ef437690af8b75e6758dce77af75a22b63982883
+# Date 2014-03-28 13:33:34 +0100
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+x86/HVM: correct CPUID leaf 80000008 handling
+
+CPUID[80000008].EAX[23:16] have been given the meaning of the guest
+physical address restriction (in case it needs to be smaller than the
+host's), hence we need to mirror that into vCPUID[80000008].EAX[7:0].
+
+Enforce a lower limit at the same time, as well as a fixed value for
+the virtual address bits, and zero for the guest physical address ones.
+
+In order for the vMTRR code to see these overrides we need to make it
+call hvm_cpuid() instead of domain_cpuid(), which in turn requires
+special casing (and relaxing) the controlling domain.
+
+This additionally should hide an ordering problem in the tools: Both
+xend and xl appear to be restoring a guest from its image before
+setting up the CPUID policy in the hypervisor, resulting in
+domain_cpuid() returning all zeros and hence the check in
+mtrr_var_range_msr_set() failing if the guest previously had more than
+the minimum 36 physical address bits.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/hvm/hvm.c
++++ b/xen/arch/x86/hvm/hvm.c
+@@ -2885,6 +2885,8 @@ void hvm_cpuid(unsigned int input, unsig
+
+ switch ( input )
+ {
++ unsigned int sub_leaf, _eax, _ebx, _ecx, _edx;
++
+ case 0x1:
+ /* Fix up VLAPIC details. */
+ *ebx &= 0x00FFFFFFu;
+@@ -2918,8 +2920,6 @@ void hvm_cpuid(unsigned int input, unsig
+ *edx = v->vcpu_id * 2;
+ break;
+ case 0xd:
+- {
+- unsigned int sub_leaf, _eax, _ebx, _ecx, _edx;
+ /* EBX value of main leaf 0 depends on enabled xsave features */
+ if ( count == 0 && v->arch.xcr0 )
+ {
+@@ -2936,7 +2936,7 @@ void hvm_cpuid(unsigned int input, unsig
+ }
+ }
+ break;
+- }
++
+ case 0x80000001:
+ /* We expose RDTSCP feature to guest only when
+ tsc_mode == TSC_MODE_DEFAULT and host_tsc_is_safe() returns 1 */
+@@ -2950,6 +2950,23 @@ void hvm_cpuid(unsigned int input, unsig
+ if ( !(hvm_pae_enabled(v) || hvm_long_mode_enabled(v)) )
+ *edx &= ~cpufeat_mask(X86_FEATURE_PSE36);
+ break;
++
++ case 0x80000008:
++ count = cpuid_eax(0x80000008);
++ count = (count >> 16) & 0xff ?: count & 0xff;
++ if ( (*eax & 0xff) > count )
++ *eax = (*eax & ~0xff) | count;
++
++ hvm_cpuid(1, NULL, NULL, NULL, &_edx);
++ count = _edx & (cpufeat_mask(X86_FEATURE_PAE) |
++ cpufeat_mask(X86_FEATURE_PSE36)) ? 36 : 32;
++ if ( (*eax & 0xff) < count )
++ *eax = (*eax & ~0xff) | count;
++
++ hvm_cpuid(0x80000001, NULL, NULL, NULL, &_edx);
++ *eax = (*eax & ~0xffff00) | (_edx & cpufeat_mask(X86_FEATURE_LM)
++ ? 0x3000 : 0x2000);
++ break;
+ }
+ }
+
+--- a/xen/arch/x86/hvm/mtrr.c
++++ b/xen/arch/x86/hvm/mtrr.c
+@@ -145,7 +145,7 @@ bool_t is_var_mtrr_overlapped(struct mtr
+
+ static int hvm_mtrr_pat_init(void)
+ {
+- unsigned int i, j, phys_addr;
++ unsigned int i, j;
+
+ memset(&mtrr_epat_tbl, INVALID_MEM_TYPE, sizeof(mtrr_epat_tbl));
+ for ( i = 0; i < MTRR_NUM_TYPES; i++ )
+@@ -172,11 +172,7 @@ static int hvm_mtrr_pat_init(void)
+ }
+ }
+
+- phys_addr = 36;
+- if ( cpuid_eax(0x80000000) >= 0x80000008 )
+- phys_addr = (uint8_t)cpuid_eax(0x80000008);
+-
+- size_or_mask = ~((1 << (phys_addr - PAGE_SHIFT)) - 1);
++ size_or_mask = ~((1 << (paddr_bits - PAGE_SHIFT)) - 1);
+
+ return 0;
+ }
+@@ -455,7 +451,7 @@ bool_t mtrr_fix_range_msr_set(struct mtr
+ bool_t mtrr_var_range_msr_set(
+ struct domain *d, struct mtrr_state *m, uint32_t msr, uint64_t msr_content)
+ {
+- uint32_t index, type, phys_addr, eax, ebx, ecx, edx;
++ uint32_t index, type, phys_addr, eax;
+ uint64_t msr_mask;
+ uint64_t *var_range_base = (uint64_t*)m->var_ranges;
+
+@@ -468,16 +464,21 @@ bool_t mtrr_var_range_msr_set(
+ type == 4 || type == 5 || type == 6)) )
+ return 0;
+
+- phys_addr = 36;
+- domain_cpuid(d, 0x80000000, 0, &eax, &ebx, &ecx, &edx);
+- if ( eax >= 0x80000008 )
++ if ( d == current->domain )
+ {
+- domain_cpuid(d, 0x80000008, 0, &eax, &ebx, &ecx, &edx);
+- phys_addr = (uint8_t)eax;
++ phys_addr = 36;
++ hvm_cpuid(0x80000000, &eax, NULL, NULL, NULL);
++ if ( eax >= 0x80000008 )
++ {
++ hvm_cpuid(0x80000008, &eax, NULL, NULL, NULL);
++ phys_addr = (uint8_t)eax;
++ }
+ }
++ else
++ phys_addr = paddr_bits;
+ msr_mask = ~((((uint64_t)1) << phys_addr) - 1);
+ msr_mask |= (index & 1) ? 0x7ffUL : 0xf00UL;
+- if ( unlikely(msr_content && (msr_content & msr_mask)) )
++ if ( unlikely(msr_content & msr_mask) )
+ {
+ HVM_DBG_LOG(DBG_LEVEL_MSR, "invalid msr content:%"PRIx64"\n",
+ msr_content);
diff --git a/533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch b/533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch
new file mode 100644
index 0000000..401a22f
--- /dev/null
+++ b/533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch
@@ -0,0 +1,34 @@
+# Commit fce79f8ce91dc45f3a4d699ee67c49e6cbeb1197
+# Date 2014-04-01 16:49:18 +0200
+# Author Jan Beulich <jbeulich@suse.com>
+# Committer Jan Beulich <jbeulich@suse.com>
+VMX: fix PAT value seen by guest
+
+The XSA-60 fixes introduced a window during which the guest PAT gets
+forced to all zeros. This shouldn't be visible to the guest. Therefore
+we need to intercept PAT MSR accesses during that time period.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Liu Jinsong <jinsong.liu@intel.com>
+
+--- a/xen/arch/x86/hvm/vmx/vmx.c
++++ b/xen/arch/x86/hvm/vmx/vmx.c
+@@ -984,6 +984,8 @@ static void vmx_handle_cd(struct vcpu *v
+
+ vmx_get_guest_pat(v, pat);
+ vmx_set_guest_pat(v, uc_pat);
++ vmx_enable_intercept_for_msr(v, MSR_IA32_CR_PAT,
++ MSR_TYPE_R | MSR_TYPE_W);
+
+ wbinvd(); /* flush possibly polluted cache */
+ hvm_asid_flush_vcpu(v); /* invalidate memory type cached in TLB */
+@@ -993,6 +995,9 @@ static void vmx_handle_cd(struct vcpu *v
+ {
+ v->arch.hvm_vcpu.cache_mode = NORMAL_CACHE_MODE;
+ vmx_set_guest_pat(v, *pat);
++ if ( !iommu_enabled || iommu_snoop )
++ vmx_disable_intercept_for_msr(v, MSR_IA32_CR_PAT,
++ MSR_TYPE_R | MSR_TYPE_W);
+ hvm_asid_flush_vcpu(v); /* no need to flush cache */
+ }
+ }
diff --git a/533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch b/533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch
new file mode 100644
index 0000000..7f9d93d
--- /dev/null
+++ b/533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch
@@ -0,0 +1,38 @@
+# Commit 088ee1d47b65d6bb92de61b404805f4ca92e3240
+# Date 2014-04-03 12:08:43 +0100
+# Author Jan Beulich <JBeulich@suse.com>
+# Committer Tim Deegan <tim@xen.org>
+x86/mm: fix checks against max_mapped_pfn
+
+This value is an inclusive one, i.e. this fixes an off-by-one in memory
+sharing and an off-by-two in shadow code.
+
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Tim Deegan <tim@xen.org>
+
+--- a/xen/arch/x86/mm/mem_sharing.c
++++ b/xen/arch/x86/mm/mem_sharing.c
+@@ -1268,8 +1268,8 @@ int relinquish_shared_pages(struct domai
+ return 0;
+
+ p2m_lock(p2m);
+- for (gfn = p2m->next_shared_gfn_to_relinquish;
+- gfn < p2m->max_mapped_pfn; gfn++ )
++ for ( gfn = p2m->next_shared_gfn_to_relinquish;
++ gfn <= p2m->max_mapped_pfn; gfn++ )
+ {
+ p2m_access_t a;
+ p2m_type_t t;
+--- a/xen/arch/x86/mm/shadow/common.c
++++ b/xen/arch/x86/mm/shadow/common.c
+@@ -3489,9 +3489,7 @@ int shadow_track_dirty_vram(struct domai
+ struct sh_dirty_vram *dirty_vram = d->arch.hvm_domain.dirty_vram;
+ struct p2m_domain *p2m = p2m_get_hostp2m(d);
+
+- if (end_pfn < begin_pfn
+- || begin_pfn > p2m->max_mapped_pfn
+- || end_pfn >= p2m->max_mapped_pfn)
++ if ( end_pfn < begin_pfn || end_pfn > p2m->max_mapped_pfn + 1 )
+ return -EINVAL;
+
+ /* We perform p2m lookups, so lock the p2m upfront to avoid deadlock */
diff --git a/qemu-xen-upstream-megasas-buildtime.patch b/qemu-xen-upstream-megasas-buildtime.patch
new file mode 100644
index 0000000..9a109c5
--- /dev/null
+++ b/qemu-xen-upstream-megasas-buildtime.patch
@@ -0,0 +1,21 @@
+Causes rebuilds.
+Says rpmlint.
+---
+ tools/qemu-xen-dir-remote/hw/scsi/megasas.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+Index: xen-4.4.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+===================================================================
+--- xen-4.4.0-testing.orig/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
++++ xen-4.4.0-testing/tools/qemu-xen-dir-remote/hw/scsi/megasas.c
+@@ -712,8 +712,8 @@ static int megasas_ctrl_get_info(Megasas
+ snprintf(info.package_version, 0x60, "%s-QEMU", QEMU_VERSION);
+ memcpy(info.image_component[0].name, "APP", 3);
+ memcpy(info.image_component[0].version, MEGASAS_VERSION "-QEMU", 9);
+- memcpy(info.image_component[0].build_date, __DATE__, 11);
+- memcpy(info.image_component[0].build_time, __TIME__, 8);
++ memcpy(info.image_component[0].build_date, "Apr 1 2014", 11);
++ memcpy(info.image_component[0].build_time, "12:34:56", 8);
+ info.image_component_count = 1;
+ if (pci_dev->has_rom) {
+ uint8_t biosver[32];
diff --git a/xen.changes b/xen.changes
index 69aa134..9490a29 100644
--- a/xen.changes
+++ b/xen.changes
@@ -1,7 +1,45 @@
+-------------------------------------------------------------------
+Wed Apr 9 08:07:03 MDT 2014 - carnold@suse.com
+
+- Upstream patches from Jan
+ 53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch
+ 533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch
+ 533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch
+
+-------------------------------------------------------------------
+Thu Apr 3 16:21:03 UTC 2014 - carnold@suse.com
+
+- bnc#862608 - SLES 11 SP3 vm-install should get RHEL 7 support
+ when released
+ 53206661-pygrub-support-linux16-and-initrd16.patch
+- Upstream bug fixes
+ 53299d8f-xenconsole-reset-tty-on-failure.patch
+ 53299d8f-xenconsole-tolerate-tty-errors.patch
+
-------------------------------------------------------------------
Thu Apr 3 16:21:03 UTC 2014 - dmueller@suse.com
-- fix build for armv7l and aarch64
+- fix build for armv7l and aarch64
+
+-------------------------------------------------------------------
+Thu Apr 3 15:40:31 CEST 2014 - ohering@suse.de
+
+- Remove compiletime strings from qemu-upstream
+ qemu-xen-upstream-megasas-buildtime.patch
+
+-------------------------------------------------------------------
+Wed Apr 2 08:47:27 MDT 2014 - carnold@suse.com
+
+- bnc#871546 - KMPs are not signed in SUSE:SLE-12:GA?
+ xen.spec
+
+-------------------------------------------------------------------
+Tue Apr 1 08:14:29 MDT 2014 - carnold@suse.com
+
+- Upstream patches from Jan
+ 532fff53-x86-fix-determination-of-bit-count-for-struct-domain-allocations.patch
+ 5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_mem_access.patch
+- Drop xsa89.patch for upstream version (see bnc#867910, 5331917d-x86-enforce...)
-------------------------------------------------------------------
Fri Mar 28 11:00:07 MDT 2014 - carnold@suse.com
diff --git a/xen.spec b/xen.spec
index c85ad5b..6035720 100644
--- a/xen.spec
+++ b/xen.spec
@@ -144,6 +144,7 @@ BuildRequires: glibc-devel-32bit
BuildRequires: kernel-source
BuildRequires: kernel-syms
BuildRequires: module-init-tools
+BuildRequires: pesign-obs-integration
%if %suse_version >= 1230
BuildRequires: lndir
%else
@@ -151,7 +152,7 @@ BuildRequires: xorg-x11-util-devel
%endif
%endif
-Version: 4.4.0_12
+Version: 4.4.0_13
Release: 0
PreReq: %insserv_prereq %fillup_prereq
Summary: Xen Virtualization: Hypervisor (aka VMM aka Microkernel)
@@ -222,11 +223,18 @@ Patch9: 531d8e09-x86-HVM-fix-memory-type-merging-in-epte_get_entry_emt.p
Patch10: 531d8e34-x86-HVM-consolidate-passthrough-handling-in-epte_get_entry_emt.patch
Patch11: 531d8fd0-kexec-identify-which-cpu-the-kexec-image-is-being-executed-on.patch
Patch12: 531dc0e2-xmalloc-handle-correctly-page-allocation-when-align-size.patch
-Patch13: 5321b20b-common-make-hypercall-preemption-checks-consistent.patch
-Patch14: 5321b257-x86-make-hypercall-preemption-checks-consistent.patch
-Patch15: 53271880-VT-d-fix-RMRR-handling.patch
-Patch16: 5327190a-x86-Intel-work-around-Xeon-7400-series-erratum-AAI65.patch
-Patch17: xsa89.patch
+Patch13: 53206661-pygrub-support-linux16-and-initrd16.patch
+Patch14: 5321b20b-common-make-hypercall-preemption-checks-consistent.patch
+Patch15: 5321b257-x86-make-hypercall-preemption-checks-consistent.patch
+Patch16: 53271880-VT-d-fix-RMRR-handling.patch
+Patch17: 5327190a-x86-Intel-work-around-Xeon-7400-series-erratum-AAI65.patch
+Patch18: 53299d8f-xenconsole-reset-tty-on-failure.patch
+Patch19: 53299d8f-xenconsole-tolerate-tty-errors.patch
+Patch20: 532fff53-x86-fix-determination-of-bit-count-for-struct-domain-allocations.patch
+Patch21: 5331917d-x86-enforce-preemption-in-HVM_set_mem_access-p2m_set_mem_access.patch
+Patch22: 53356c1e-x86-HVM-correct-CPUID-leaf-80000008-handling.patch
+Patch23: 533ad1ee-VMX-fix-PAT-value-seen-by-guest.patch
+Patch24: 533d413b-x86-mm-fix-checks-against-max_mapped_pfn.patch
# Upstream qemu
Patch250: VNC-Support-for-ExtendedKeyEvent-client-message.patch
Patch251: 0001-net-move-the-tap-buffer-into-TAPState.patch
@@ -293,6 +301,7 @@ Patch385: xen_pvonhvm.xen_emul_unplug.patch
Patch386: libxc-pass-errno-to-callers-of-xc_domain_save.patch
Patch387: libxl.set-migration-constraints-from-cmdline.patch
Patch388: libxl.honor-more-top-level-vfb-options.patch
+Patch389: qemu-xen-upstream-megasas-buildtime.patch
# Xend
Patch400: xend-set-migration-constraints-from-cmdline.patch
Patch402: xen.migrate.tools-xend_move_assert_to_exception_block.patch
@@ -546,6 +555,7 @@ Authors:
Summary: Xen para-virtual device drivers for fully virtualized guests
Group: System/Kernel
Conflicts: xen
+Requires: pesign-obs-integration
%description KMP
Xen is a virtual machine monitor for x86 that supports execution of
@@ -598,6 +608,13 @@ Authors:
%patch15 -p1
%patch16 -p1
%patch17 -p1
+%patch18 -p1
+%patch19 -p1
+%patch20 -p1
+%patch21 -p1
+%patch22 -p1
+%patch23 -p1
+%patch24 -p1
# Upstream qemu patches
%patch250 -p1
%patch251 -p1
@@ -663,6 +680,7 @@ Authors:
%patch386 -p1
%patch387 -p1
%patch388 -p1
+%patch389 -p1
# Xend
%patch400 -p1
%patch402 -p1
@@ -807,6 +825,7 @@ export EXTRA_CFLAGS_QEMU_TRADITIONAL="$RPM_OPT_FLAGS"
export EXTRA_CFLAGS_QEMU_XEN="$RPM_OPT_FLAGS"
# EFI
%if %{?with_dom0_support}0
+export BRP_PESIGN_FILES="*.ko *.efi /lib/firmware"
make -C xen install \
%if %{?with_gcc47}0
CC=gcc-4.7 \
diff --git a/xen2libvirt.py b/xen2libvirt.py
index aeeee9b..cc735db 100644
--- a/xen2libvirt.py
+++ b/xen2libvirt.py
@@ -1,113 +1,113 @@
-#!/usr/bin/env python
-#
-# Copyright (C) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# This library is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-# Lesser General Public License for more details.
-#
-# You should have received a copy of the GNU Lesser General Public
-# License along with this library. If not, see
-# <http://www.gnu.org/licenses/>.
-#
-# Authors:
-# Jim Fehlig <jfehlig@suse.com>
-#
-# Read native Xen configuration format, convert to libvirt domXML, and
-# import (virsh define <xml>) into libvirt.
-
-import sys
-import os
-import argparse
-import re
-
-try:
- import libvirt
-except ImportError:
- print 'Unable to import the libvirt module. Is libvirt-python installed?'
- sys.exit(1)
-
-parser = argparse.ArgumentParser(description='Import Xen domain configuration into libvirt')
-parser.add_argument('-c', '--convert-only', help='Convert Xen domain configuration into libvirt domXML, but do not import into libvirt', action='store_true', dest='convert_only')
-parser.add_argument('-r', '--recursive', help='Operate recursivelly on all Xen domain configuration rooted at path', action='store_true')
-parser.add_argument('-f', '--format', help='Format of Xen domain configuration. Supported formats are xm and sexpr', choices=['xm', 'sexpr'], default=None)
-parser.add_argument('-v', '--verbose', help='Print information about the import process', action='store_true')
-parser.add_argument('path', help='Path to Xen domain configuration')
-
-
-def print_verbose(msg):
- if args.verbose:
- print msg
-
-
-def check_config(path, config):
- isbinary = os.system('file -b ' + path + ' | grep text > /dev/null')
-
- if isbinary:
- print 'File %s is not a text file containing Xen xm or sexpr configuration'
- sys.exit(1)
-
- if config.find('\(domain'):
- return 'sexpr'
- return 'xm'
-
-
-def import_domain(conn, path, format=None, convert_only=False):
-
- f = open(path, 'r')
- config = f.read()
- print_verbose('Xen domain configuration read from %s:\n %s' % (path, config))
- if format is None:
- format = check_config(path, config)
-
- if format == 'sexpr':
- print_verbose('scrubbing domin from configuration')
- config = re.sub("\(domid [0-9]*\)", "", config)
- print_verbose('scrubbed sexpr:\n %s' % config)
- xml = conn.domainXMLFromNative('xen-sxpr', config, 0)
- else:
- # if format != sexpr, try xm
- xml = conn.domainXMLFromNative('xen-xm', config, 0)
-
- f.close()
-
- print_verbose('Successfully converted Xen domain configuration to '
- 'libvirt domXML:\n %s' % xml)
- if convert_only:
- print xml
- else:
- print_verbose('Importing converted libvirt domXML into libvirt...')
- dom = conn.defineXML(xml)
- if dom is None:
- print 'Failed to define domain from converted domXML'
- sys.exit(1)
- print_verbose('domXML successfully imported into libvirt')
-
-
-args = parser.parse_args()
-path = args.path
-
-# Connect to libvirt
-conn = libvirt.open(None)
-if conn is None:
- print('Failed to open connection to the hypervisor')
- sys.exit(1)
-
-if args.recursive:
- try:
- for root, dirs, files in os.walk(path):
- for name in files:
- abs_name = os.path.join(root, name)
- print_verbose('Processing file %s' % abs_name)
- import_domain(conn, abs_name, args.format, args.convert_only)
- except IOError:
- print('Failed to open/read path %s' % path)
- sys.exit(1)
-else:
- import_domain(conn, args.path, args.format, args.convert_only)
+#!/usr/bin/env python
+#
+# Copyright (C) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see
+# <http://www.gnu.org/licenses/>.
+#
+# Authors:
+# Jim Fehlig <jfehlig@suse.com>
+#
+# Read native Xen configuration format, convert to libvirt domXML, and
+# import (virsh define <xml>) into libvirt.
+
+import sys
+import os
+import argparse
+import re
+
+try:
+ import libvirt
+except ImportError:
+ print 'Unable to import the libvirt module. Is libvirt-python installed?'
+ sys.exit(1)
+
+parser = argparse.ArgumentParser(description='Import Xen domain configuration into libvirt')
+parser.add_argument('-c', '--convert-only', help='Convert Xen domain configuration into libvirt domXML, but do not import into libvirt', action='store_true', dest='convert_only')
+parser.add_argument('-r', '--recursive', help='Operate recursivelly on all Xen domain configuration rooted at path', action='store_true')
+parser.add_argument('-f', '--format', help='Format of Xen domain configuration. Supported formats are xm and sexpr', choices=['xm', 'sexpr'], default=None)
+parser.add_argument('-v', '--verbose', help='Print information about the import process', action='store_true')
+parser.add_argument('path', help='Path to Xen domain configuration')
+
+
+def print_verbose(msg):
+ if args.verbose:
+ print msg
+
+
+def check_config(path, config):
+ isbinary = os.system('file -b ' + path + ' | grep text > /dev/null')
+
+ if isbinary:
+ print 'File %s is not a text file containing Xen xm or sexpr configuration'
+ sys.exit(1)
+
+ if config.find('\(domain'):
+ return 'sexpr'
+ return 'xm'
+
+
+def import_domain(conn, path, format=None, convert_only=False):
+
+ f = open(path, 'r')
+ config = f.read()
+ print_verbose('Xen domain configuration read from %s:\n %s' % (path, config))
+ if format is None:
+ format = check_config(path, config)
+
+ if format == 'sexpr':
+ print_verbose('scrubbing domin from configuration')
+ config = re.sub("\(domid [0-9]*\)", "", config)
+ print_verbose('scrubbed sexpr:\n %s' % config)
+ xml = conn.domainXMLFromNative('xen-sxpr', config, 0)
+ else:
+ # if format != sexpr, try xm
+ xml = conn.domainXMLFromNative('xen-xm', config, 0)
+
+ f.close()
+
+ print_verbose('Successfully converted Xen domain configuration to '
+ 'libvirt domXML:\n %s' % xml)
+ if convert_only:
+ print xml
+ else:
+ print_verbose('Importing converted libvirt domXML into libvirt...')
+ dom = conn.defineXML(xml)
+ if dom is None:
+ print 'Failed to define domain from converted domXML'
+ sys.exit(1)
+ print_verbose('domXML successfully imported into libvirt')
+
+
+args = parser.parse_args()
+path = args.path
+
+# Connect to libvirt
+conn = libvirt.open(None)
+if conn is None:
+ print('Failed to open connection to the hypervisor')
+ sys.exit(1)
+
+if args.recursive:
+ try:
+ for root, dirs, files in os.walk(path):
+ for name in files:
+ abs_name = os.path.join(root, name)
+ print_verbose('Processing file %s' % abs_name)
+ import_domain(conn, abs_name, args.format, args.convert_only)
+ except IOError:
+ print('Failed to open/read path %s' % path)
+ sys.exit(1)
+else:
+ import_domain(conn, args.path, args.format, args.convert_only)
diff --git a/xenconsole-no-multiple-connections.patch b/xenconsole-no-multiple-connections.patch
index 03d6701..c9a74a9 100644
--- a/xenconsole-no-multiple-connections.patch
+++ b/xenconsole-no-multiple-connections.patch
@@ -10,16 +10,18 @@ Index: xen-4.4.0-testing/tools/console/client/main.c
fd_set watch_fdset;
int xs_fd = xs_fileno(xs), pty_fd = -1;
int start, now;
-@@ -119,6 +120,12 @@ static int get_pty_fd(struct xs_handle *
+@@ -119,6 +120,14 @@ static int get_pty_fd(struct xs_handle *
pty_fd = open(pty_path, O_RDWR | O_NOCTTY);
if (pty_fd == -1)
- err(errno, "Could not open tty `%s'", pty_path);
-+ memset(&lock, 0, sizeof(lock));
-+ lock.l_type = F_WRLCK;
-+ lock.l_whence = SEEK_SET;
-+ if (fcntl(pty_fd, F_SETLK, &lock) != 0)
-+ err(errno, "Could not lock tty '%s'",
-+ pty_path);
- free(pty_path);
+ warn("Could not open tty `%s'", pty_path);
++ else {
++ memset(&lock, 0, sizeof(lock));
++ lock.l_type = F_WRLCK;
++ lock.l_whence = SEEK_SET;
++ if (fcntl(pty_fd, F_SETLK, &lock) != 0)
++ err(errno, "Could not lock tty '%s'",
++ pty_path);
++ }
}
+ free(pty_path);
}