From patchwork Wed Jul 26 19:47:56 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9865737 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 442206038F for ; Wed, 26 Jul 2017 19:51:11 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 36910281E1 for ; Wed, 26 Jul 2017 19:51:11 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2B5442866C; Wed, 26 Jul 2017 19:51:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2DF65287A1 for ; Wed, 26 Jul 2017 19:51:10 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daSIe-0008WN-7v; Wed, 26 Jul 2017 19:48:52 +0000 Received: from mail6.bemta5.messagelabs.com ([195.245.231.135]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1daSId-0008W8-Kr for xen-devel@lists.xenproject.org; Wed, 26 Jul 2017 19:48:51 +0000 Received: from [85.158.139.211] by server-15.bemta-5.messagelabs.com id F9/18-01736-222F8795; Wed, 26 Jul 2017 19:48:50 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrHIsWRWlGSWpSXmKPExsVyMfTOOl3FTxW RBq/eslp83zKZyYHR4/CHKywBjFGsmXlJ+RUJrBmT3gsW3Naq6P7/mLGBca5yFyMXh5DALEaJ iZMvM4E4LAIfWCSm79zBBuJICExjlfi5dRJzFyMnkBMn8e7PYzYIu0ri4NbLrCC2kICSxJbJj xkhRj1nkliw+j87SEJYQE9i8rfbjCA2m4C+xNO118AGiQjkSXTtbwCzmYHsp1uXskDU+0tsuL sPbAGLgKrEh6ZusBpeATOJee3roY6Ql5jYOw1sJqeAucT7Z8+YII4wk+i+18w4gVFwASPDKka N4tSistQiXUMzvaSizPSMktzEzBxdQwNTvdzU4uLE9NScxKRiveT83E2MwJBjAIIdjOdPex5i lORgUhLlnWRaESnEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgvffB6CcYFFqempFWmYOMPhh0hIcP EoivHofgdK8xQWJucWZ6RCpU4z2HFeurPvCxDHlwHYg+WrC/29MHE3fP35nEmLJy89LlRLnfQ QyVQCkLaM0D24oLFovMcpKCfMyAp0pxFOQWpSbWYIq/4pRnINRSZhXHWQ5T2ZeCdzuV0BnMQG dNWdGKchZJYkIKakGxjm7JwnXnppq9Gxnx2Uu1vNWdhYe3E+C94uFJD6pDGbWNAkRfjdhr9UR /vcBzyQT1ysJsKq+vsi7pK5/d5v2LZ4V962zda2Xzf59n2N1d8ZUGyn/RAdm/Q2BU2fePPqa1 bpfK6jTqVlp+aHmwJ0Vr8SUotv2VzwuZ3h+L/indlVMwwLvqR/qlFiKMxINtZiLihMB2G3Sit ECAAA= X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-2.tower-206.messagelabs.com!1501098528!84059915!1 X-Originating-IP: [209.85.220.174] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.25; banners=-,-,- X-VirusChecked: Checked Received: (qmail 50372 invoked from network); 26 Jul 2017 19:48:48 -0000 Received: from mail-qk0-f174.google.com (HELO mail-qk0-f174.google.com) (209.85.220.174) by server-2.tower-206.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 26 Jul 2017 19:48:48 -0000 Received: by mail-qk0-f174.google.com with SMTP id x191so25435539qka.5 for ; Wed, 26 Jul 2017 12:48:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=fY497ctxr6ywS4F7PNbvDam3o+hso+aISzuhveqYmkY=; b=G/iwroCYEu2U1XXo2Tsti1GP0nCxZc46LS9b5VxMjvBvSvtHWItYpuVzTtC7HprMoA unLJa54ugBAWHb47nlc+MGCORmhEiGXv2x9Oxat/LoHyp56lEASZ+VsvaQTj1hWLxJ4W KItf3NhwaYDJjNqvNFhCt+6XE9ddB+Xev2zVHwY/te7AYaW3p7IqfK/ecleRe+FOIXdw 84Yu2iltedB0sHgoFSJDBcXGSyu5dDamgqgtXHc/v4WU/gU4heERYSjo/qLOatK7uE30 4KWPF96TNyl+yL5Q0Rrbclg+hRfTtVscNidtofH12z43sqhRcE87N9x7bPYBOPBemiHU XRJg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=fY497ctxr6ywS4F7PNbvDam3o+hso+aISzuhveqYmkY=; b=ArIb9CBEXiDp7gUD+zaRTHb7Fs40aT6mvGAiM/Z+JBwRIZRTU6FjQbypWcxe29b/Ou InnOiKrs5rYaG7s7t3XHazY7Ohd2jQvDN3arlvcz4dwtQfZ4fK87Z+1SjZ0W7y8aYUDo WFICcuK6tYi8biLJODIJAfQMhpY1rWKfRLEvNdPlkeZfE5hQlf4CYkFCaOsv3Pba+aZq Ox7JyG0Q3Up8pwIjV3o8Qnizxyhxsp9qtqjHrAt/sINMdY9oQP6M4sqGqC80wU3GGa+d Hc3l0+O3RHU9p80uTLK/e+IPjf1upuP6Mnkb/CG3gPlzVVvVI4uz61mAKbdA1l8XvTka YhYA== X-Gm-Message-State: AIVw111/qWpzJLax11WE4L1lLbz5/EfEnB39CeeaVCNw3JbTYIwaEnzA rvMCLXYzuqr1V9Rn X-Received: by 10.55.215.217 with SMTP id t86mr2682135qkt.251.1501098527496; Wed, 26 Jul 2017 12:48:47 -0700 (PDT) Received: from dhcp-amer-vpn-adc-anyconnect-10-154-174-211.vpn.oracle.com (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id m22sm13305504qtm.15.2017.07.26.12.48.45 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 26 Jul 2017 12:48:46 -0700 (PDT) From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, julien.grall@arm.com, sstabellini@kernel.org, andrew.cooper3@citrix.com Date: Wed, 26 Jul 2017 15:47:56 -0400 Message-Id: <20170726194756.20265-6-konrad@kernel.org> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170726194756.20265-1-konrad@kernel.org> References: <20170726194756.20265-1-konrad@kernel.org> Cc: Ross Lagerwall , jbeulich@suse.com, Konrad Rzeszutek Wilk Subject: [Xen-devel] [PATCH v2 5/5] livepatch: Declare live patching as a supported feature X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Ross Lagerwall See docs/features/livepatch.pandoc for the details. Signed-off-by: Ross Lagerwall Signed-off-by: Konrad Rzeszutek Wilk Reviewed-by: Jan Beulich --- v2: - Moved it into a feature document. - Clarified a few bits and pieces based on feedback. v3: - default X86 --- docs/features/livepatch.pandoc | 103 +++++++++++++++++++++++++++++++++++++++++ xen/common/Kconfig | 4 +- 2 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 docs/features/livepatch.pandoc diff --git a/docs/features/livepatch.pandoc b/docs/features/livepatch.pandoc new file mode 100644 index 0000000000..faaf2d1e77 --- /dev/null +++ b/docs/features/livepatch.pandoc @@ -0,0 +1,103 @@ +% Live Patching +% Revision 1 + +\clearpage + +# Basics + +---------------- ---------------------------------------------------- + Status: **Supported** + + Architecture: x86 + + Component: Hypervisor, toolstack +---------------- ---------------------------------------------------- + + +# Details + +Xen Live Patching has been available as tech preview feature since Xen +4.7 and has now had a couple of releases to stabilize. Xen Live patching +has been used by multiple vendors to fix several real-world security +issues without any severe bugs encountered. Additionally, there are now +tests in OSSTest that test live patching to ensure that no regressions +are introduced. + +Based on the amount of testing and usage it has had, we are ready to +declare live patching as a 'Supported' feature on x86. + +Live patching is slightly peculiar when it comes to support because it +allows the host administrator to break their system rather easily +depending on the content of the live patch. Because of this, it is +worth detailing the scope of security support: + +1) Unprivileged access to live patching operations: + Live patching operations should only be accessible to privileged + guests and it shall be treated as a security issue if this is not + the case. + +2) Bugs in the patch-application code such that vulnerabilities exist + after application: + If a correct live patch is loaded but it is not applied correctly + such that it might result in an insecure system (e.g. not all + functions are patched), it shall be treated as a security issue. + +3) Bugs in livepatch-build-tools creating an incorrect live patch that + results in an insecure host: + If livepatch-build-tools creates an incorrect live patch that + results in an insecure host, this shall not be considered a security + issue. There are too many OSes and toolchains to consider supporting + this. A live patch should be checked to verify that it is valid + before loading. + +4) Loading an incorrect live patch that results in an insecure host or + host crash: + If a live patch (whether created using livepatch-build-tools or some + alternative) is loaded and it results in an insecure host or host + crash due to the content of the live patch being incorrect or the + issue being inappropriate to live patch, this is not considered as a + security issue. + +5) Bugs in the live patch parsing code (the ELF loader): + Bugs in the live patch parsing code such as out-of-bounds reads + caused by invalid ELF files are not considered to be security issues + because the it can only be triggered by a privileged domain. + +6) Bugs which allow a guest to prevent the application of a livepatch: + A guest should not be able to prevent the application of a live + patch. If an unprivileged guest can somehow prevent the application + of a live patch despite pausing it (xl pause ...), it shall be + treated as a security issue. + +Note: It is expected that live patches are tested in a test environment +before being used in production to avoid unexpected issues. In +particular, to avoid the issues described by (3), (4), & (5). + +There are also some generic security questions which are worth asking: + +1) Is guest->host privilege escalation possible? + +The new live patching sysctl subops are only accessible to privileged +domains and this is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce a guest->host +privilege escalation. + +2) Is guest user->guest kernel escalation possible? + +No, although an incorrect live patch can introduce a guest user->guest +kernel privilege escalation. + +3) Is there any information leakage? + +The new live patching sysctl subops are only accessible to privileged +domains so it is not possible for an unprivileged guest to access the +list of loaded live patches. This is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce an +information leakage. + +4) Can a Denial-of-Service be triggered? + +There are no known ways that an unprivileged guest can prevent a live +patch from being loaded. +Once again, there is a caveat that an incorrect live patch can introduce +an arbitrary denial of service. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index dc8e876439..e9bb849298 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -226,8 +226,8 @@ config CRYPTO bool config LIVEPATCH - bool "Live patching support (TECH PREVIEW)" - default n + bool "Live patching support" + default X86 depends on HAS_BUILD_ID = "y" ---help--- Allows a running Xen hypervisor to be dynamically patched using