Xen and updated kernels

Xen and updated kernels

[Tony and Robyn Lewis]

I am enjoying playing with Xen.  Kudos for this cool technology.  We're 
thinking hard about using Xen in production for our office.

My major concern is security in the kernel.  The pre-built binaries of 
the Xenised kernels are based on 2.6.12, which is old now (last released 
in late August according to kernel.org).

Does this not put the domU guests at risk, if there are kernel exploits 
that apply to 2.6.12?  Granted, the damage is contained, but there's 
still an 0wned (virtual) server that I've now got to deal with.

Between now and when Xen gets into the mainstream kernel, what's a good 
mitigation for this risk?  *Is* it a risk?

I would like to apply the Xen patch to a maintained kernel source, in my 
case the latest Debian 2..6.12 tree (it has later patches backported to 
it).  I've tried applying it and ended up with heaps (50-ish) 
rejections.  From first glance, most of these rejections are because the 
Debian source already contains the patch that Xen tries to apply, and so 
are safe to ignore.  Not all rejections are, though, and unless there's 
a better idea (hence this email), my intent is to then go through these 
by hand and fix things up.

Hopefully it'll be a one-off task.  I can use the new tree and the 
original to generate my own xen-3.0-to-debian-2.6.12-blah.patch.  When a 
new Debian 2.6.12 comes out, this patch should apply fairly cleanly.

Again, is this worth doing?

Tony Lewis

Re: Xen and updated kernels

[Mark Williamson]

> I am enjoying playing with Xen.  Kudos for this cool technology.  We're
> thinking hard about using Xen in production for our office.
>
> My major concern is security in the kernel.  The pre-built binaries of
> the Xenised kernels are based on 2.6.12, which is old now (last released
> in late August according to kernel.org).
>
> Does this not put the domU guests at risk, if there are kernel exploits
> that apply to 2.6.12?  Granted, the damage is contained, but there's
> still an 0wned (virtual) server that I've now got to deal with.

The reason the main distribution hasn't been updated with a new kernel version 
recently is that a lot of work is being done on the Xen-ification patch to 
make acceptable for upstream merge.

This repo contains a Xenified Linux 2.6.15:
http://xenbits.xensource.com/linux-2.6-xen.hg
But this is currently not as widely used / tested as the 2.6.12 tree which is 
included with the Xen 3.0 distribution.

The contents of that repo will be used in future releases of Xen, but the 
kernel provided there should work fine now for domUs on 3.0 hypervisors.

> Between now and when Xen gets into the mainstream kernel, what's a good
> mitigation for this risk?  *Is* it a risk?

Well, it's a risk if there are any exploits that might effect your 
configuration.  I don't recall any particularly horrible exploits in recent 
2.6 kernels, though.  If it's an exploit that hasn't yet been discovered, it 
most likely won't be fixed in more recent kernels either.  Depends how 
paranoid you're feeling - are they really out to get you? ;-)

> I would like to apply the Xen patch to a maintained kernel source, in my
> case the latest Debian 2..6.12 tree (it has later patches backported to
> it).  I've tried applying it and ended up with heaps (50-ish)
> rejections.  From first glance, most of these rejections are because the
> Debian source already contains the patch that Xen tries to apply, and so
> are safe to ignore.  Not all rejections are, though, and unless there's
> a better idea (hence this email), my intent is to then go through these
> by hand and fix things up.
>
> Hopefully it'll be a one-off task.  I can use the new tree and the
> original to generate my own xen-3.0-to-debian-2.6.12-blah.patch.  When a
> new Debian 2.6.12 comes out, this patch should apply fairly cleanly.
>
> Again, is this worth doing?

Possibly...  depends how impatient you are ;-)  But IIRC, various people have 
been producing Xenified Debian kernels, so you may be duplicating work - I'm 
not sure how those efforts are progressing right now.

Cheers,
Mark