[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature

To: George Dunlap <george.dunlap@xxxxxxxxxx>, Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxx>
From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
Date: Mon, 26 Jun 2017 18:30:26 +0100
Cc: Lars Kurth <lars.kurth@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <liuw@xxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
Delivery-date: Mon, 26 Jun 2017 17:30:39 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 26/06/17 18:00, George Dunlap wrote:
> On 26/06/17 16:36, Ross Lagerwall wrote:
>> Xen Live Patching has been available as tech preview feature since Xen
>> 4.7 and has now had a couple of releases to stabilize. Xen Live patching
>> has been used by multiple vendors to fix several real-world security
>> issues without any severe bugs encountered. Additionally, there are now
>> tests in OSSTest that test live patching to ensure that no regressions
>> are introduced.
>>
>> Based on the amount of testing and usage it has had, we are ready to
>> declare live patching as a 'Supported' feature.
> Great write-up, Ross, thanks.  I more or less agree with everything
> except...
>
>> * Bugs in livepatch-build-tools creating incorrect live patch that
>>   results in an insecure host:
>>     If livepatch-build-tools creates an incorrect live patch that
>>     results in an insecure host, this shall not be considered a security
>>     issue. There are too many OSes and toolchains to consider supporting
>>     this. A live patch should be checked to verify that it is valid
>>     before loading.
> I'm not sure I follow the argument here.  Suppose in one months' time it
> is discovered that livepatch-build-tools, under some circumstances,
> creates patches that open up a side vulnerability.  Do you really think
> we should just post a fix to the mailing list, without alerting anybody
> who may be affected by it?

There are a million ways this could happen, starting from the simple
cases of accidentally building the livepatch from a non-clean working
tree, or accidentally using a compiler other than the one used to build
the running hypervisor.

We absolutely cannot be in the position of issuing XSAs for situations
like this, because there are too many ways where it definitely will go
wrong, and we'd end up issuing XSAs saying "remember to clean your
working tree before building a livepatch".  This is of course absurd.

IMO, The only viable option is to exclude livepatch-build-tools entirely
from security scope.  It is already the case that people producing
livepatches need to check the resulting livepatch binary for sanity, and
test it suitably in a development environment before use in production.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: George Dunlap

References:
- [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: Ross Lagerwall
- Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
  - From: George Dunlap

Prev by Date: [Xen-devel] [qemu-upstream-4.8-testing test] 111049: tolerable trouble: blocked/broken/fail/pass - PUSHED
Next by Date: [Xen-devel] [qemu-upstream-4.5-testing test] 111047: regressions - FAIL
Previous by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Next by thread: Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.