From: George Dunlap <george.dunlap@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>,
Ross Lagerwall <ross.lagerwall@citrix.com>,
xen-devel@lists.xen.org
Cc: Lars Kurth <lars.kurth@citrix.com>,
Stefano Stabellini <sstabellini@kernel.org>,
Wei Liu <liuw@liuw.name>,
George Dunlap <George.Dunlap@eu.citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Julien Grall <julien.grall@arm.com>,
Jan Beulich <jbeulich@suse.com>
Subject: Re: [PATCH for-4.9] livepatch: Declare live patching as a supported feature
Date: Tue, 27 Jun 2017 09:37:56 +0100 [thread overview]
Message-ID: <9b1f7edb-2efc-3e10-d9d7-009200ca4989@citrix.com> (raw)
In-Reply-To: <507a995a-1cd6-f9c5-e730-69ea62570e11@citrix.com>
On 26/06/17 18:18, Andrew Cooper wrote:
> On 26/06/17 17:50, George Dunlap wrote:
>> On 26/06/17 17:39, Andrew Cooper wrote:
>>>> * Bugs which allow a guest to prevent the application of a livepatch:
>>>> A guest should not be able to prevent the application of a live
>>>> patch. If an unprivileged guest can prevent the application of a
>>>> live patch, it shall be treated as a security issue.
>>> This one is harder to say. We know that enough concurrent live
>>> migrations can, which extends to "lots of activity in the guest". Its
>>> perhaps worth noting the potential workaround of `xl pause $DOM;
>>> xen-livepatch ...; xl unpause`.
>> And what if the guest can prevent itself from being paused?
>
> In which case, that is an XSA in its own right.
>
> The underlying implementation uses XEN_DOMCTL_{,un}pausedomain which
> call straight into domain_{un,}pause(). We have very big problems if
> the guest has any influence in this...
>
>>
>> Or, what if the guest can trigger some other persistent state change
>> such that livepatching will fail even if the domain is paused (or
>> destroyed)?
>
> Such as?
>
> The guest being able to cause damaging mutative state change in Xen is
> clearly a security issue, irrespective of any livepatch involvement.
>
> However, livepatch content (hook function for example) which trips over
> state as found in the hypervisor at the point of application is a bad
> livepatch, not a vulnerability in livepatching.
>
>> I agree that as long as the patch can be applied after "xl pause", then
>> the domain cannot be said to be preventing the application of the
>> livepatch. But if either 'xl pause' doesn't work, or if livepatching
>> fails due to a malicious domain's actions after 'xl pause' (or 'xl
>> destroy'), then it should be treated as a security issue.
>
> I broadly agree, but these bugs feel like they would be self-standing,
> perhaps with an impact to applying a livepatch, rather than XSAs in
> livepatching itself.
So let me get this right.
You think that all possible cases in which a guest can persistently
prevent a livepatch from being applied would already be a security issue
for other reasons.
Therefore, you think we should include a paragraph in our security
support statement specifically stating that we do not provide security
support if the guest can prevent a livepatch.
Is that correct?
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-06-27 8:37 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-26 15:36 [PATCH for-4.9] livepatch: Declare live patching as a supported feature Ross Lagerwall
2017-06-26 16:39 ` Andrew Cooper
2017-06-26 16:50 ` George Dunlap
2017-06-26 16:53 ` Ian Jackson
2017-06-26 17:18 ` Andrew Cooper
2017-06-27 8:37 ` George Dunlap [this message]
2017-06-27 10:47 ` Andrew Cooper
2017-06-27 10:49 ` George Dunlap
2017-06-26 16:50 ` Ross Lagerwall
2017-06-26 17:04 ` Andrew Cooper
2017-06-27 6:04 ` Jan Beulich
2017-06-27 7:19 ` Julien Grall
2017-06-27 11:23 ` Jan Beulich
2017-06-27 11:34 ` George Dunlap
2017-06-26 17:00 ` George Dunlap
2017-06-26 17:30 ` Andrew Cooper
2017-06-27 9:17 ` George Dunlap
2017-06-28 16:18 ` Ross Lagerwall
2017-06-28 16:41 ` Konrad Rzeszutek Wilk
2017-06-30 13:42 ` George Dunlap
2017-07-03 14:53 ` Ross Lagerwall
2017-07-04 8:36 ` Roger Pau Monné
2017-08-03 17:20 ` George Dunlap
2017-08-03 17:21 ` George Dunlap
2017-08-06 0:07 ` Is:livepatch-build-tools.git declare it supported? Was:Re: " Konrad Rzeszutek Wilk
2017-08-07 10:26 ` George Dunlap
2017-08-07 15:59 ` Jan Beulich
2017-08-08 11:16 ` George Dunlap
2017-08-09 7:36 ` Jan Beulich
2017-08-21 10:59 ` George Dunlap
2017-08-21 12:07 ` Jan Beulich
2017-08-21 15:28 ` George Dunlap
2017-08-22 6:37 ` Jan Beulich
2017-08-22 10:58 ` George Dunlap
2017-08-22 11:16 ` Roger Pau Monné
2017-08-29 14:44 ` Konrad Rzeszutek Wilk
2017-08-29 14:46 ` Andrew Cooper
2017-08-29 14:48 ` George Dunlap
2017-06-26 18:29 ` Julien Grall
2017-06-26 21:07 ` Konrad Rzeszutek Wilk
2017-06-27 7:24 ` Julien Grall
2017-06-27 8:09 ` Lars Kurth
2017-06-27 10:49 ` Ian Jackson
2017-06-27 10:59 ` Lars Kurth
2017-06-27 10:46 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9b1f7edb-2efc-3e10-d9d7-009200ca4989@citrix.com \
--to=george.dunlap@citrix.com \
--cc=George.Dunlap@eu.citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jbeulich@suse.com \
--cc=julien.grall@arm.com \
--cc=lars.kurth@citrix.com \
--cc=liuw@liuw.name \
--cc=ross.lagerwall@citrix.com \
--cc=sstabellini@kernel.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).