From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:59662)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UnRpl-0001qy-CY
	for qemu-devel@nongnu.org; Fri, 14 Jun 2013 07:06:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UnRpj-0001Kt-To
	for qemu-devel@nongnu.org; Fri, 14 Jun 2013 07:06:21 -0400
Received: from mail-wi0-x22b.google.com ([2a00:1450:400c:c05::22b]:44480)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <stefanha@gmail.com>) id 1UnRpj-0001KE-NH
	for qemu-devel@nongnu.org; Fri, 14 Jun 2013 07:06:19 -0400
Received: by mail-wi0-f171.google.com with SMTP id hj3so185376wib.16
	for <qemu-devel@nongnu.org>; Fri, 14 Jun 2013 04:06:19 -0700 (PDT)
Date: Fri, 14 Jun 2013 13:06:16 +0200
From: Stefan Hajnoczi <stefanha@gmail.com>
Message-ID: <20130614110616.GD26780@stefanha-thinkpad.redhat.com>
References: <51B96205.4010601@kamp.de>
	<20130613084015.GF2633@stefanha-thinkpad.redhat.com>
	<51B986EF.9000304@kamp.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <51B986EF.9000304@kamp.de>
Subject: Re: [Qemu-devel] [RFC] sanitize memory on system reset
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Peter Lieven <pl@kamp.de>
Cc: "qemu-devel@nongnu.org" <qemu-devel@nongnu.org>, "H. Peter Anvin" <hpa@zytor.com>

On Thu, Jun 13, 2013 at 10:46:39AM +0200, Peter Lieven wrote:
> On 13.06.2013 10:40, Stefan Hajnoczi wrote:
> >On Thu, Jun 13, 2013 at 08:09:09AM +0200, Peter Lieven wrote:
> >>I was thinking if it would be a good idea to zeroize all memory resources on system reset and
> >>madvise dontneed them afterwards. This would avoid system reset attacks in case the attacker
> >>has only access to the console of a vServer but not on the physical host and it would shrink
> >>RSS size of the vServer siginificantly.
> >I wonder if you'll hit weird OS installers or PXE clients that rely on
> >stashing stuff in memory across reset.
> Mhh, that indeed would be weird.
> 
> What do you think of the idea in general? You concerns could be addresses by adding
> a switch for this which defaults to off.

Any time we deviate from how real hardware behaves we end up in trouble
later on.  Something will depend on this behavior.

It is nice to reduce the RSS footprint on reboot in some cases, your
idea makes sense.  I think it should be disabled by default for
compatibility.

Stefan