[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature

To: George Dunlap <george.dunlap@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 26 Jun 2017 18:18:08 +0100
Cc: Lars Kurth <lars.kurth@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <liuw@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
Delivery-date: Mon, 26 Jun 2017 17:18:32 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/06/17 17:50, George Dunlap wrote:
> On 26/06/17 17:39, Andrew Cooper wrote:
>>> * Bugs which allow a guest to prevent the application of a livepatch:
>>>     A guest should not be able to prevent the application of a live
>>>     patch. If an unprivileged guest can prevent the application of a
>>>     live patch, it shall be treated as a security issue.
>> This one is harder to say.  We know that enough concurrent live
>> migrations can, which extends to "lots of activity in the guest".  Its
>> perhaps worth noting the potential workaround of `xl pause $DOM;
>> xen-livepatch ...; xl unpause`.
> And what if the guest can prevent itself from being paused?

In which case, that is an XSA in its own right.

The underlying implementation uses XEN_DOMCTL_{,un}pausedomain which
call straight into domain_{un,}pause().  We have very big problems if
the guest has any influence in this...

>
> Or, what if the guest can trigger some other persistent state change
> such that livepatching will fail even if the domain is paused (or
> destroyed)?

Such as?

The guest being able to cause damaging mutative state change in Xen is
clearly a security issue, irrespective of any livepatch involvement.

However, livepatch content (hook function for example) which trips over
state as found in the hypervisor at the point of application is a bad
livepatch, not a vulnerability in livepatching.

> I agree that as long as the patch can be applied after "xl pause", then
> the domain cannot be said to be preventing the application of the
> livepatch.  But if either 'xl pause' doesn't work, or if livepatching
> fails due to a malicious domain's actions after 'xl pause' (or 'xl
> destroy'), then it should be treated as a security issue.

I broadly agree, but these bugs feel like they would be self-standing,
perhaps with an impact to applying a livepatch, rather than XSAs in
livepatching itself.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: George Dunlap

References:
- [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Ross Lagerwall
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Next by Date: [Xen-devel] [qemu-upstream-4.8-testing test] 111049: tolerable trouble: blocked/broken/fail/pass - PUSHED
Previous by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Next by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.