[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] RAM security


  • To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, <Xen-devel@xxxxxxxxxxxxxxxxxxx>
  • From: Keir Fraser <keir@xxxxxxx>
  • Date: Mon, 06 Dec 2010 08:26:34 -0800
  • Cc:
  • Delivery-date: Mon, 06 Dec 2010 08:28:24 -0800
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=ZzKQpvnzmZzqHgTPIyi1TitKaoC2BhUMWEg37K4UERoeSEr2rte8utLDGL+uXJL8xq 1TSChi7vCcbGxJFe9+q7PF5Mf4cetbo7GH39DHEEecggRTqhVHaYHZXUmEIeUSx7rChX RJaexNK0KPTUeJ+sOzDQn0FeT/NnWDlU5EPPE=
  • List-id: Xen developer discussion <xen-devel.lists.xensource.com>
  • Thread-index: AcuVYljWE041ahZjUkOK8fzI1Wmhuw==
  • Thread-topic: [Xen-devel] RAM security

On 06/12/2010 07:35, "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx> wrote:

> Just a few questions:
> 
> 1) By saying "the guest's responsibility", does this mean that
> CONFIG_XEN_SCRUB_PAGES=y is set in the DomU kernel config?

Yes.

> 2) Also, if a DomU was shutdown by xm destroy, obviously the DomU
> wouldn¹t scrub the RAM. However would Xen still scrub the RAM?

Xen always scrubs memory on behalf of a dead domain.

> 3) If the physical server was shutdown (e.g. plug pulled), I'm guessing
> this will presetn a problem?

Xen scrubs all memory during boot, unless told not to via a boot parameter.

> 4) Why doesn't Xen scrub the RAM before giving it to the DomU?

It does in the above circumstances. Otherwise it is up to the domU, and why
not.

 -- Keir

> Thanks
> 
> On 06/12/10 14:49, George Dunlap wrote:
>> I looked into this sometime this last year.  I believe the answer is
>> "no": the domain destruction routines will zero memory before handing
>> it back to Xen.
>> 
>> One potential data leak, however (last time I looked at this), is that
>> Xen does not scrub memory handed back by the balloon driver.  So if
>> the guest OS hasn't scrubbed it, and it contains sensitive
>> information, it may end up being assigned to another domain as-is
>> (either via ballooning or start-of-day domain creation).  At the
>> moment that's considered the guest's responsibility.
>> 
>>   -George
>> 
>> On Mon, Dec 6, 2010 at 2:35 PM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx>  wrote:
>>> Hi Everyone,
>>> 
>>> In Xen, is a DomU able to access data in RAM which a previous DomU has
>>> stored in the past, but didn't "zero" it?
>>> 
>>> I understand that this is a problem with physical disks (using phy:/), just
>>> wondering if the same stands with RAM
>>> 
>>> Thanks
>>> 
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-devel
>>> 
>>> 
> 
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.