From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:33198)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1bguRe-0006hA-DH
	for qemu-devel@nongnu.org; Mon, 05 Sep 2016 10:00:22 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1bguRZ-0004vO-2k
	for qemu-devel@nongnu.org; Mon, 05 Sep 2016 10:00:17 -0400
Received: from mx1.redhat.com ([209.132.183.28]:52126)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1bguRY-0004v2-UV
	for qemu-devel@nongnu.org; Mon, 05 Sep 2016 10:00:13 -0400
Date: Mon, 5 Sep 2016 15:00:09 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Message-ID: <20160905140009.GE24656@redhat.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
References: <110743700.1285610.1472475080274.ref@mail.yahoo.com>
	<110743700.1285610.1472475080274@mail.yahoo.com>
	<20160905135214.GA22496@work-vm>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20160905135214.GA22496@work-vm>
Content-Transfer-Encoding: quoted-printable
Subject: Re: [Qemu-devel] A question about postcopy safety
List-Id: <qemu-devel.nongnu.org>
List-Unsubscribe: <https://lists.nongnu.org/mailman/options/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel/>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <https://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
Cc: liutgnu@yahoo.com, qemu-devel@nongnu.org

On Mon, Sep 05, 2016 at 02:52:14PM +0100, Dr. David Alan Gilbert wrote:
> * liutgnu@yahoo.com (liutgnu@yahoo.com) wrote:
> > Hi=C2=A0David,
>=20
> Hi Liutao,
>=20
> > I'm studying the process of postcopy migration, and I found that the =
memory pages migrated from source to destination are not encrypted. Does =
this make the VM vulnerable if it's memory has been tampered with during =
postcopy migration?
> >=20
> > I think precopy has less risk because the source's memory is always a=
ltering. If one page is tampered with during network transfer, with sourc=
e still running, then a later version of that page may keep updating. So =
it would be quite difficult to track all different page versions, and tam=
per with the final version of one page.
> >=20
> > But when it comes to postcopy, the situation is riskier because one s=
pecific page is only transferred once. It's easy to capture all transferr=
ing memory pages, tamper and resend.
>=20
> I don't think there's much difference between precopy and postcopy for =
security;
> the only secure way to do migration is over an encrypted transport and =
that solves
> it for both precopy and postcopy.

Agreed, there's no real world difference in the security of pre & post co=
py.
If you care about security there's no avoiding the need to use an encrypt=
ed
transport.

Regards,
Daniel
--=20
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange=
/ :|
|: http://libvirt.org              -o-             http://virt-manager.or=
g :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr=
/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vn=
c :|