[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] mm: option to _always_ scrub freed domheap pages

To: <xen-devel@xxxxxxxxxxxxxxxxxxxx>
From: Eslam Elnikety <elnikety@xxxxxxxxxx>
Date: Mon, 6 May 2019 12:46:24 +0000
Cc: Stefano Stabellini <sstabellini@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Ian Jackson <ian.jackson@xxxxxxxxxxxxx>, Eslam Elnikety <elnikety@xxxxxxxxxx>, Tim Deegan <tim@xxxxxxx>, Julien Grall <julien.grall@xxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>
Delivery-date: Mon, 06 May 2019 12:46:57 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Give the administrator further control on when to scrub domheap pages by adding
an option to always scrub. This is a safety feature that, when enabled,
prevents a (buggy) domain from leaking secrets if it accidentally frees a page
without proper scrubbing.

Signed-off-by: Eslam Elnikety <elnikety@xxxxxxxxxx>
---
 docs/misc/xen-command-line.pandoc |  8 ++++++++
 xen/common/page_alloc.c           | 11 +++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/docs/misc/xen-command-line.pandoc 
b/docs/misc/xen-command-line.pandoc
index 7dcb22932a..5a92949c5a 100644
--- a/docs/misc/xen-command-line.pandoc
+++ b/docs/misc/xen-command-line.pandoc
@@ -270,6 +270,14 @@ and not running softirqs. Reduce this if softirqs are not 
being run frequently
 enough. Setting this to a high value may cause boot failure, particularly if
 the NMI watchdog is also enabled.
 
+### scrub_domheap
+> `= <boolean>`
+
+> Default: `false`
+
+Scrub domains' freed pages. This is a safety net against a (buggy) domain
+accidentally leaking secrets by releasing pages without proper sanitization.
+
 ### clocksource (x86)
 > `= pit | hpet | acpi | tsc`
 
diff --git a/xen/common/page_alloc.c b/xen/common/page_alloc.c
index be44158033..678a00ac9b 100644
--- a/xen/common/page_alloc.c
+++ b/xen/common/page_alloc.c
@@ -214,6 +214,12 @@ custom_param("bootscrub", parse_bootscrub_param);
 static unsigned long __initdata opt_bootscrub_chunk = MB(128);
 size_param("bootscrub_chunk", opt_bootscrub_chunk);
 
+/*
+ * scrub_domheap -> Domheap pages are scrubbed when freed
+ */
+static bool_t opt_scrub_domheap = 0;
+boolean_param("scrub_domheap", opt_scrub_domheap);
+
 #ifdef CONFIG_SCRUB_DEBUG
 static bool __read_mostly scrub_debug;
 #else
@@ -2378,9 +2384,10 @@ void free_domheap_pages(struct page_info *pg, unsigned 
int order)
             /*
              * Normally we expect a domain to clear pages before freeing them,
              * if it cares about the secrecy of their contents. However, after
-             * a domain has died we assume responsibility for erasure.
+             * a domain has died we assume responsibility for erasure. We do
+             * scrub regardless if option scrub_domheap is set.
              */
-            scrub = d->is_dying || scrub_debug;
+            scrub = d->is_dying || scrub_debug || opt_scrub_domheap;
         }
         else
         {
-- 
2.15.3.AMZN


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] mm: option to _always_ scrub freed domheap pages
  - From: George Dunlap

Prev by Date: Re: [Xen-devel] [PATCH RFC V2 45/45] xen/sched: add scheduling granularity enum
Next by Date: Re: [Xen-devel] [PATCH 01/12] xen/arm: lpae: Add a macro to generate offsets from an address
Previous by thread: Re: [Xen-devel] [PATCH 5/9] x86/IRQ: fix locking around vector management
Next by thread: Re: [Xen-devel] [PATCH] mm: option to _always_ scrub freed domheap pages
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.