[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>
From: George Dunlap <george.dunlap@xxxxxxxxxx>
Date: Mon, 26 Jun 2017 17:50:27 +0100
Cc: Lars Kurth <lars.kurth@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <liuw@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
Delivery-date: Mon, 26 Jun 2017 16:50:54 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/06/17 17:39, Andrew Cooper wrote:
>> * Bugs which allow a guest to prevent the application of a livepatch:
>>     A guest should not be able to prevent the application of a live
>>     patch. If an unprivileged guest can prevent the application of a
>>     live patch, it shall be treated as a security issue.
> 
> This one is harder to say.  We know that enough concurrent live
> migrations can, which extends to "lots of activity in the guest".  Its
> perhaps worth noting the potential workaround of `xl pause $DOM;
> xen-livepatch ...; xl unpause`.

And what if the guest can prevent itself from being paused?

Or, what if the guest can trigger some other persistent state change
such that livepatching will fail even if the domain is paused (or
destroyed)?

I agree that as long as the patch can be applied after "xl pause", then
the domain cannot be said to be preventing the application of the
livepatch.  But if either 'xl pause' doesn't work, or if livepatching
fails due to a malicious domain's actions after 'xl pause' (or 'xl
destroy'), then it should be treated as a security issue.

> This is all good, but this information needs to be in a file in
> docs/features/, most probably livepatching.pandoc

+1

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Ian Jackson

References:
- [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Ross Lagerwall
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Andrew Cooper

Prev by Date: [Xen-devel] [PATCH v5 13/13] x86/traps.h: remove unused declaration of cpu_user_regs
Next by Date: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Previous by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Next by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.