From mboxrd@z Thu Jan  1 00:00:00 1970
From: Matt Wilson <msw@linux.com>
Subject: Re: Is there an issue with turning off "scrubbing free
 RAM" on boot with Xen 4.1.3
Date: Sun, 10 Nov 2013 14:25:11 -0800
Message-ID: <20131110222511.GA22949@u109add4315675089e695.ant.amazon.com>
References: <52559F56.3070901@mokumsolutions.com> <52567676.3010102@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
Received: from mail6.bemta3.messagelabs.com ([195.245.230.39])
	by lists.xen.org with esmtp (Exim 4.72)
	(envelope-from <mswilson@gmail.com>) id 1VfdRY-0002nZ-79
	for xen-devel@lists.xenproject.org; Sun, 10 Nov 2013 22:25:20 +0000
Received: by mail-pb0-f43.google.com with SMTP id md4so4377139pbc.2
	for <xen-devel@lists.xenproject.org>;
	Sun, 10 Nov 2013 14:25:16 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <52567676.3010102@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Andrew Cooper <andrew.cooper3@citrix.com>
Cc: xen-devel@lists.xenproject.org, Roddy Rodstein <roddy.rodstein@mokumsolutions.com>
List-Id: xen-devel@lists.xenproject.org

On Thu, Oct 10, 2013 at 10:42:14AM +0100, Andrew Cooper wrote:
> On 09/10/13 19:24, Roddy Rodstein wrote:

[...]

> > Could you please share your comments about turning of RAM scrubbing,
> > i.e. have you seen any consequences, security issues and/or threats,
> > red flags, etc...?

[...]

> In the Xen model, domains are responsible for clearing any sensitive
> data they have out of memory before shutdown.

This isn't strictly true. Memory is scrubbed by Xen when the domain
cannot do it for itself (i.e., when a domain is dying during
shutdown). However by default domains /are/ responsible for scrubbing
pages that are returned to Xen via a reservation adjustment (i.e.,
pages returned via the balloon driver).

--msw

> The bootscrub is a preventative measure to ensure that after a crash,
> stale domain information is cleared from RAM before that RAM is reused
> for a new VM.
> 
> If this is not a concern for you, then you can easily turn bootscrub off
> by adding "no-bootscrub" to the Xen command line.