From patchwork Wed Jun 28 16:13:44 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ross Lagerwall <ross.lagerwall@citrix.com>
X-Patchwork-Id: 9814837
Return-Path: <xen-devel-bounces@lists.xen.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	C758B60365 for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:16:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B9872212E8
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:16:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id AC79B26256; Wed, 28 Jun 2017 16:16:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED
	autolearn=ham version=3.3.1
Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120])
	(using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 0056A212E8
	for <patchwork-xen-devel@patchwork.kernel.org>;
	Wed, 28 Jun 2017 16:16:35 +0000 (UTC)
Received: from localhost ([127.0.0.1] helo=lists.xenproject.org)
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <xen-devel-bounces@lists.xen.org>)
	id 1dQFbb-00070x-9q; Wed, 28 Jun 2017 16:14:15 +0000
Received: from mail6.bemta6.messagelabs.com ([193.109.254.103])
	by lists.xenproject.org with esmtp (Exim 4.84_2)
	(envelope-from <prvs=3450b7835=ross.lagerwall@citrix.com>)
	id 1dQFba-00070r-9y
	for xen-devel@lists.xen.org; Wed, 28 Jun 2017 16:14:14 +0000
Received: from [193.109.254.147] by server-8.bemta-6.messagelabs.com id
	10/52-03704-5D5D3595; Wed, 28 Jun 2017 16:14:13 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrLLMWRWlGSWpSXmKPExsXitHSDve7Vq8G
	RBk9Wslgs+biYxYHR4+ju30wBjFGsmXlJ+RUJrBlHHm5kKvioUdF++BhbA+N1xS5GTg4JAX+J
	b/+a2UFsNgEDiVuXvjOD2CICshKru+YAxbk4mAWmMkvc+X+VCSQhLBAs8WX6DUYQm0VAVeLFw
	xawBl4BW4lPh9axQQyVk1i6/TpYXEhATeLt8jMsEDWCEidnPgGzmQUkJA6+eME8gZF7FpLULC
	SpBYxMqxjVi1OLylKLdA31kooy0zNKchMzc3QNDcz0clOLixPTU3MSk4r1kvNzNzECg4EBCHY
	w7nzudIhRkoNJSZR375egSCG+pPyUyozE4oz4otKc1OJDjDIcHEoSvIuuBEcKCRalpqdWpGXm
	AMMSJi3BwaMkwvviIlCat7ggMbc4Mx0idYpRUUqcdz5InwBIIqM0D64NFguXGGWlhHkZgQ4R4
	ilILcrNLEGVf8UozsGoJMx7FWQKT2ZeCdz0V0CLmYAWs8wLAFlckoiQkmpgtG3csHaZQoDTzy
	ddZmL+5b7mOfvjFpbwx7Pn34haZbRdaF+mSsMm9kue70XkgtasDP+6cpZ0htCrx/E+BrfK7O4
	JmxVJXvSf+1tjhc2Vm1avLtiqv1GKm122XdqgZlPTdMtGp19hyscYuat7th0K2GoysS/9Z3v2
	5DwxRQb+81ot821Oxc9SYinOSDTUYi4qTgQAcBeuZIACAAA=
X-Env-Sender: prvs=3450b7835=ross.lagerwall@citrix.com
X-Msg-Ref: server-10.tower-27.messagelabs.com!1498666451!81416997!1
X-Originating-IP: [66.165.176.63]
X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor:
	VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n,
	received_headers: No Received headers
X-StarScan-Received: 
X-StarScan-Version: 9.4.19; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 32851 invoked from network); 28 Jun 2017 16:14:12 -0000
Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63)
	by server-10.tower-27.messagelabs.com with RC4-SHA encrypted SMTP;
	28 Jun 2017 16:14:12 -0000
X-IronPort-AV: E=Sophos;i="5.40,276,1496102400"; d="scan'208";a="438164848"
From: Ross Lagerwall <ross.lagerwall@citrix.com>
To: <xen-devel@lists.xen.org>
Date: Wed, 28 Jun 2017 17:13:44 +0100
Message-ID: <20170628161344.6467-1-ross.lagerwall@citrix.com>
X-Mailer: git-send-email 2.9.4
MIME-Version: 1.0
Cc: Lars Kurth <lars.kurth@citrix.com>,
	Stefano Stabellini <sstabellini@kernel.org>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>, Wei Liu <liuw@liuw.name>,
	Ian Jackson <ian.jackson@eu.citrix.com>,
	Ross Lagerwall <ross.lagerwall@citrix.com>,
	Julien Grall <julien.grall@arm.com>, Jan Beulich <jbeulich@suse.com>
Subject: [Xen-devel] [PATCH for-4.9 v2] livepatch: Declare live patching as
	a supported feature
X-BeenThere: xen-devel@lists.xen.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Xen developer discussion <xen-devel.lists.xen.org>
List-Unsubscribe: <https://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <https://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Errors-To: xen-devel-bounces@lists.xen.org
Sender: "Xen-devel" <xen-devel-bounces@lists.xen.org>
X-Virus-Scanned: ClamAV using ClamSMTP

See docs/features/livepatch.pandoc for the details.

Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
---

Moved it into a feature document.
Clarified a few bits and pieces based on feedback.

 docs/features/livepatch.pandoc | 103 +++++++++++++++++++++++++++++++++++++++++
 xen/common/Kconfig             |   2 +-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 docs/features/livepatch.pandoc

diff --git a/docs/features/livepatch.pandoc b/docs/features/livepatch.pandoc
new file mode 100644
index 0000000..faaf2d1
--- /dev/null
+++ b/docs/features/livepatch.pandoc
@@ -0,0 +1,103 @@
+% Live Patching
+% Revision 1
+
+\clearpage
+
+# Basics
+
+---------------- ----------------------------------------------------
+         Status: **Supported**
+
+   Architecture: x86
+
+      Component: Hypervisor, toolstack
+---------------- ----------------------------------------------------
+
+
+# Details
+
+Xen Live Patching has been available as tech preview feature since Xen
+4.7 and has now had a couple of releases to stabilize. Xen Live patching
+has been used by multiple vendors to fix several real-world security
+issues without any severe bugs encountered. Additionally, there are now
+tests in OSSTest that test live patching to ensure that no regressions
+are introduced.
+
+Based on the amount of testing and usage it has had, we are ready to
+declare live patching as a 'Supported' feature on x86.
+
+Live patching is slightly peculiar when it comes to support because it
+allows the host administrator to break their system rather easily
+depending on the content of the live patch. Because of this, it is
+worth detailing the scope of security support:
+
+1) Unprivileged access to live patching operations:
+   Live patching operations should only be accessible to privileged
+   guests and it shall be treated as a security issue if this is not
+   the case.
+
+2) Bugs in the patch-application code such that vulnerabilities exist
+   after application:
+   If a correct live patch is loaded but it is not applied correctly
+   such that it might result in an insecure system (e.g. not all
+   functions are patched), it shall be treated as a security issue.
+
+3) Bugs in livepatch-build-tools creating an incorrect live patch that
+   results in an insecure host:
+   If livepatch-build-tools creates an incorrect live patch that
+   results in an insecure host, this shall not be considered a security
+   issue. There are too many OSes and toolchains to consider supporting
+   this. A live patch should be checked to verify that it is valid
+   before loading.
+
+4) Loading an incorrect live patch that results in an insecure host or
+   host crash:
+   If a live patch (whether created using livepatch-build-tools or some
+   alternative) is loaded and it results in an insecure host or host
+   crash due to the content of the live patch being incorrect or the
+   issue being inappropriate to live patch, this is not considered as a
+   security issue.
+
+5) Bugs in the live patch parsing code (the ELF loader):
+   Bugs in the live patch parsing code such as out-of-bounds reads
+   caused by invalid ELF files are not considered to be security issues
+   because the it can only be triggered by a privileged domain.
+
+6) Bugs which allow a guest to prevent the application of a livepatch:
+   A guest should not be able to prevent the application of a live
+   patch. If an unprivileged guest can somehow prevent the application
+   of a live patch despite pausing it (xl pause ...), it shall be
+   treated as a security issue.
+
+Note: It is expected that live patches are tested in a test environment
+before being used in production to avoid unexpected issues. In
+particular, to avoid the issues described by (3), (4), & (5).
+
+There are also some generic security questions which are worth asking:
+
+1) Is guest->host privilege escalation possible?
+
+The new live patching sysctl subops are only accessible to privileged
+domains and this is tested by OSSTest with an XTF test.
+There is a caveat -- an incorrect live patch can introduce a guest->host
+privilege escalation.
+
+2) Is guest user->guest kernel escalation possible?
+
+No, although an incorrect live patch can introduce a guest user->guest
+kernel privilege escalation.
+
+3) Is there any information leakage?
+
+The new live patching sysctl subops are only accessible to privileged
+domains so it is not possible for an unprivileged guest to access the
+list of loaded live patches. This is tested by OSSTest with an XTF test.
+There is a caveat -- an incorrect live patch can introduce an
+information leakage.
+
+4) Can a Denial-of-Service be triggered?
+
+There are no known ways that an unprivileged guest can prevent a live
+patch from being loaded.
+Once again, there is a caveat that an incorrect live patch can introduce
+an arbitrary denial of service.
diff --git a/xen/common/Kconfig b/xen/common/Kconfig
index dc8e876..876086c 100644
--- a/xen/common/Kconfig
+++ b/xen/common/Kconfig
@@ -226,7 +226,7 @@ config CRYPTO
 	bool
 
 config LIVEPATCH
-	bool "Live patching support (TECH PREVIEW)"
+	bool "Live patching support"
 	default n
 	depends on HAS_BUILD_ID = "y"
 	---help---