Advisory: XSA-304

Intel's guidance.

An erratum exists on various generations of Intel processors, that can be tickled by an HVM guest kernel, resulting in a core lockup and full system denial of service.

To mitigate, Xen ensures that no EPT superpages are executable, shattering to 4k mappings if execution is needed. This prevents >4k mappings from entering the iTLB, and blocks a precondition of the erratum.

See also: tests/xsa-304/main.c