From: Jeremy Fitzhardinge <jeremy@goop.org>
To: Dan Magenheimer <dan.magenheimer@oracle.com>
Cc: Pavel Machek <pavel@ucw.cz>,
linux-kernel@vger.kernel.org, xen-devel@lists.xensource.com,
npiggin@suse.de, chris.mason@oracle.com, kurt.hackel@oracle.com,
dave.mccracken@oracle.com, Avi Kivity <avi@redhat.com>,
Rik van Riel <riel@redhat.com>,
alan@lxorguk.ukuu.org.uk, Rusty Russell <rusty@rustcorp.com.au>,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
akpm@osdl.org, Marcelo Tosatti <mtosatti@redhat.com>,
Balbir Singh <balbir@linux.vnet.ibm.com>,
tmem-devel@oss.oracle.com, sunil.mushran@oracle.com,
linux-mm@kvack.org, Himanshu Raj <rhim@microsoft.com>
Subject: Re: [RFC] transcendent memory for Linux
Date: Mon, 29 Jun 2009 15:15:53 -0700 [thread overview]
Message-ID: <4A493D19.4050908@goop.org> (raw)
In-Reply-To: <a2cac9b3-74c1-4eea-8273-afe2226cef1d@default>
On 06/29/09 14:57, Dan Magenheimer wrote:
> Interesting question. But, more than the 128-bit UUID must
> be guessed... a valid 64-bit object id and a valid 32-bit
> page index must also be guessed (though most instances of
> the page index are small numbers so easy to guess). Once
> 192 bits are guessed though, yes, the pages could be viewed
> and modified. I suspect there are much more easily targeted
> security holes in most data centers than guessing 192 (or
> even 128) bits.
>
If its possible to verify the uuid is valid before trying to find a
valid oid+page, then its much easier (since you can concentrate on the
uuid first). If the uuid is derived from something like the
filesystem's uuid - which wouldn't normally be considered sensitive
information - then its not like its a search of the full 128-bit space.
And even if it were secret, uuids are not generally 128 randomly chosen
bits.
You also have to consider the case of a domain which was once part of
the ocfs cluster, but now is not - it may still know the uuid, but not
be otherwise allowed to use the cluster.
> Now this only affects shared pools, and shared-precache is still
> experimental and not really part of this patchset. Does "mount"
> of an accessible disk/filesystem have a better security model?
> Perhaps there are opportunities to leverage that?
>
Well, a domain is allowed to access any block device you give it access
to. I'm not sure what the equivalent model for tmem would be.
Anyway, it sounds like you need to think a fair bit more about shared
tmem's security model before it can be considered for use.
> Yes. Perhaps all the non-flag bits should just be reserved for
> future use. Today, the implementation just checks for (and implements)
> only zero anyway and nothing is defined anywhere except the 4K
> pagesize at the lowest levels of the (currently xen-only) API.
>
Yes. It should fail if it sees any unknown flags set in a guest request.
J
next prev parent reply other threads:[~2009-06-29 22:16 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-19 23:53 [RFC] transcendent memory for Linux Dan Magenheimer
2009-06-20 1:35 ` [RFC PATCH 0/4] transcendent memory ("tmem") " Dan Magenheimer
2009-06-20 1:35 ` [RFC PATCH 1/4] tmem: infrastructure for tmem layer Dan Magenheimer
2009-06-20 1:50 ` Rik van Riel
2009-06-20 1:35 ` [RFC PATCH 2/4] tmem: precache implementation (layered on tmem) Dan Magenheimer
2009-06-20 2:28 ` Rik van Riel
2009-06-20 1:36 ` [RFC PATCH 3/4] tmem: preswap " Dan Magenheimer
2009-06-20 1:36 ` [RFC PATCH 4/4] tmem: interface code for tmem on top of xen Dan Magenheimer
2009-06-22 11:27 ` [RFC] transcendent memory for Linux Martin Schwidefsky
2009-06-22 20:41 ` Dan Magenheimer
2009-06-22 14:31 ` Chris Friesen
2009-06-22 20:50 ` Dan Magenheimer
2009-06-24 15:04 ` Pavel Machek
2009-06-29 14:34 ` Dan Magenheimer
2009-06-29 20:36 ` Pavel Machek
2009-06-29 21:13 ` Dan Magenheimer
2009-06-29 21:23 ` Jeremy Fitzhardinge
2009-06-29 21:57 ` Dan Magenheimer
2009-06-29 22:15 ` Jeremy Fitzhardinge [this message]
2009-06-30 21:21 ` Dan Magenheimer
2009-06-30 22:46 ` Jeremy Fitzhardinge
2009-07-01 23:02 ` Dan Magenheimer
2009-07-01 23:31 ` Jeremy Fitzhardinge
2009-07-02 6:38 ` Pavel Machek
2009-07-02 14:03 ` Dan Magenheimer
2009-06-27 13:18 ` Linus Walleij
2009-06-28 7:42 ` Avi Kivity
2009-06-29 14:44 ` Dan Magenheimer
2009-07-01 3:41 ` Roland Dreier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A493D19.4050908@goop.org \
--to=jeremy@goop.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=avi@redhat.com \
--cc=balbir@linux.vnet.ibm.com \
--cc=chris.mason@oracle.com \
--cc=dan.magenheimer@oracle.com \
--cc=dave.mccracken@oracle.com \
--cc=kurt.hackel@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=mtosatti@redhat.com \
--cc=npiggin@suse.de \
--cc=pavel@ucw.cz \
--cc=rhim@microsoft.com \
--cc=riel@redhat.com \
--cc=rusty@rustcorp.com.au \
--cc=schwidefsky@de.ibm.com \
--cc=sunil.mushran@oracle.com \
--cc=tmem-devel@oss.oracle.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox