From patchwork Tue Sep 12 00:37:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9948233 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id B0923603F3 for ; Tue, 12 Sep 2017 00:41:10 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A1F9928D6F for ; Tue, 12 Sep 2017 00:41:10 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 96AB028D72; Tue, 12 Sep 2017 00:41:10 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.6 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,RCVD_IN_SORBS_SPAM,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2BE4528D74 for ; Tue, 12 Sep 2017 00:41:04 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drZDF-0000iq-5G; Tue, 12 Sep 2017 00:38:01 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1drZDD-0000hb-UG for xen-devel@lists.xenproject.org; Tue, 12 Sep 2017 00:38:00 +0000 Received: from [193.109.254.147] by server-3.bemta-6.messagelabs.com id 49/EF-03093-76C27B95; Tue, 12 Sep 2017 00:37:59 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrNIsWRWlGSWpSXmKPExsVyMfTOZt00ne2 RBh0TlS2+b5nM5MDocfjDFZYAxijWzLyk/IoE1ow1kxezFXzRrnjW956lgXG6ShcjF4eQwCxG idl/LzKDOCwCH1gkXk+exwTiSAhMY5W4vPsrUIYDyImT6JsZ18XICWSmSUw8fJoZwq6WWHfoO COILSSgJLFl8mNGiKkHmSQWbjsPlhAW0JOY/O02mM0moC/xdO01qJluEp+ucYHUiwi0A11x5R crSJxZIFbiy1dRiNZAiVurfrOA2CwCqhJNy5+A2bwCVhK/n31mhbhBXmJi7zSw8Zwg8R/zWCH usZToWHCFaQKj8AJGhlWMGsWpRWWpRbqGBnpJRZnpGSW5iZk5QJ6ZXm5qcXFiempOYlKxXnJ+ 7iZGYIAyAMEOxuPv4w4xSnIwKYny/hbeHinEl5SfUpmRWJwRX1Sak1p8iFGGg0NJgrdMGygnW JSanlqRlpkDjBWYtAQHj5IIb5YWUJq3uCAxtzgzHSJ1itGV48KdS3+YOA7suQUkO27eBZKbwO SG7w/+MAmx5OXnpUqJ8/4GaRYAac4ozYMbDYvzS4yyUsK8jEDHCvEUpBblZpagyr9iFOdgVBL mXQxyIU9mXgncBa+AjmMCOo7n0haQ40oSEVJSDYxpK5Qs3UJWcjD+lBA/dCc8yW6xkXzLds0D QbNf39tWzlo+i3tLrP+8lND3nkkHlv8oeZpp8rx9rvYt2Y22UnXvOP0kUufrzT6UwWgzo+3aP yE9M/lLacvKTgafCvZmm2+zOdU6Jl/ebt0klV/rPvpy95+YpFxzyWzCdTlpHwltq/R2gzPajk osxRmJhlrMRcWJAHJj9NbuAgAA X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-16.tower-27.messagelabs.com!1505176677!115908336!1 X-Originating-IP: [209.85.220.179] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 27330 invoked from network); 12 Sep 2017 00:37:58 -0000 Received: from mail-qk0-f179.google.com (HELO mail-qk0-f179.google.com) (209.85.220.179) by server-16.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 12 Sep 2017 00:37:58 -0000 Received: by mail-qk0-f179.google.com with SMTP id z143so22161451qkb.3 for ; Mon, 11 Sep 2017 17:37:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=g7C91+c4mSO5cWJ4Z83xkRSybB4iI7PiDNCB8PhD6xE=; b=c6UCVlN+FjOJSfVguba2N4hvkkkMd0AueU5VoXcJYRELA5m5UCrv8KAHoF7Ez4TlQ0 UVUMBxj+FmciXkpGsHLGEzaZKiS8Nqz3OgXIkaOQ8WqDiWXiJiwqIwPfQfQcyLNWvdLW cC2lXkvm2UkgbzDdRCWVRts99wAS2etJANre7dixKzZJyFmyySfkLBPcyH37OfWuFUIg ZdfE7aav9vGGxL502xMuzeEPQcIgGAC15cQY796zJ2WOjm4xLGLUVuNub++gX+vOevX4 bOa9qrJsWbb/yxIEBQ4Ct2lB9lX5/wAe8tFaLLjrxFZQNxYHxVotQr69v2yf5WMHR1MN tmwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=g7C91+c4mSO5cWJ4Z83xkRSybB4iI7PiDNCB8PhD6xE=; b=RRYSWhiBIOTwJ6ZKDnpD6MQtaO4D8kznQO8zMX5J444ZNdHUceaw+jPWVh7XF1GbQw CcvlIlncehW3InE3K4TQ8oPcIqGBnxYhcLD4QbNXGFeXd9D3qEMSu5lNOV0vwzyFn63q d8NpBnT6CRcP/MBeFqqsqwsqk/ov4hkQkf2NEhg5zGWrV7NLXTHVTWbCuBrBHqWLJCRT NjbmrLpdNuy2Bmgp+4iqcLQLCh0H6yxNaPZJ7zh9l+vu4ErnAWAftvDzDvilDCyrWmoS z7SuMuaawhLL3H4itNpSC7X+4El7WfiW3dtRpbVtMeUEH3xp5Nh1RuLWgBgv5u6LjAbM 46lA== X-Gm-Message-State: AHPjjUjiIOa5db8bg17cQUhk8oQYg1N3nHQcNuMRlva6fUuMeckuROIR kf4/YIcUw4yprBFY X-Google-Smtp-Source: AOwi7QBe1nNWt7XdkRKV5YrUN1keD6NHuh75ocjBpO3iHA3vkGfenFbHvI/H0T/p3mDwhDPxNgCYGQ== X-Received: by 10.55.128.130 with SMTP id b124mr18883700qkd.12.1505176677074; Mon, 11 Sep 2017 17:37:57 -0700 (PDT) Received: from localhost.localdomain (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id z75sm6771034qkb.71.2017.09.11.17.37.55 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 11 Sep 2017 17:37:56 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, ross.lagerwall@citrix.com, konrad.wilk@oracle.com, julien.grall@arm.com, sstabellini@kernel.org Date: Mon, 11 Sep 2017 20:37:19 -0400 Message-Id: <20170912003726.368-11-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170912003726.368-1-konrad.wilk@oracle.com> References: <20170912003726.368-1-konrad.wilk@oracle.com> Cc: andrew.cooper3@citrix.com, jbeulich@suse.com, Konrad Rzeszutek Wilk Subject: [Xen-devel] [PATCH v3 10/17] livepatch: Declare live patching as a supported feature X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Ross Lagerwall See docs/features/livepatch.pandoc for the details. Reviewed-by: Jan Beulich Signed-off-by: Ross Lagerwall Signed-off-by: Konrad Rzeszutek Wilk --- v2: - Moved it into a feature document. - Clarified a few bits and pieces based on feedback. v3: - default X86 - added Jan's Reviewed-by - Added tech preview for ARM. - Cut down the 3) paragraph per George's input --- docs/features/livepatch.pandoc | 106 +++++++++++++++++++++++++++++++++++++++++ xen/common/Kconfig | 4 +- 2 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 docs/features/livepatch.pandoc diff --git a/docs/features/livepatch.pandoc b/docs/features/livepatch.pandoc new file mode 100644 index 0000000000..17f1cd0d05 --- /dev/null +++ b/docs/features/livepatch.pandoc @@ -0,0 +1,106 @@ +% Live Patching +% Revision 1 + +\clearpage + +# Basics + +---------------- ---------------------------------------------------- + Status: **Supported** + + Architecture: x86 + + Status: **Tech Preview/Experimental** + + Architecture: ARM + + Component: Hypervisor, toolstack +---------------- ---------------------------------------------------- + + +# Details + +Xen Live Patching has been available as tech preview feature since Xen +4.7 and has now had a couple of releases to stabilize. Xen Live patching +has been used by multiple vendors to fix several real-world security +issues without any severe bugs encountered. Additionally, there are now +tests in OSSTest that test live patching to ensure that no regressions +are introduced. + +Based on the amount of testing and usage it has had, we are ready to +declare live patching as a 'Supported' feature on x86. + +Live patching is slightly peculiar when it comes to support because it +allows the host administrator to break their system rather easily +depending on the content of the live patch. Because of this, it is +worth detailing the scope of security support: + +1) Unprivileged access to live patching operations: + Live patching operations should only be accessible to privileged + guests and it shall be treated as a security issue if this is not + the case. + +2) Bugs in the patch-application code such that vulnerabilities exist + after application: + If a correct live patch is loaded but it is not applied correctly + such that it might result in an insecure system (e.g. not all + functions are patched), it shall be treated as a security issue. + +3) Bugs in livepatch-build-tools creating an incorrect live patch that + results in an insecure host: + If livepatch-build-tools creates an incorrect live patch that + results in an insecure host, this shall not be considered a security + issue. A live patch should be checked to verify that it is valid + before loading. + +4) Loading an incorrect live patch that results in an insecure host or + host crash: + If a live patch (whether created using livepatch-build-tools or some + alternative) is loaded and it results in an insecure host or host + crash due to the content of the live patch being incorrect or the + issue being inappropriate to live patch, this is not considered as a + security issue. + +5) Bugs in the live patch parsing code (the ELF loader): + Bugs in the live patch parsing code such as out-of-bounds reads + caused by invalid ELF files are not considered to be security issues + because the it can only be triggered by a privileged domain. + +6) Bugs which allow a guest to prevent the application of a livepatch: + A guest should not be able to prevent the application of a live + patch. If an unprivileged guest can somehow prevent the application + of a live patch despite pausing it (xl pause ...), it shall be + treated as a security issue. + +Note: It is expected that live patches are tested in a test environment +before being used in production to avoid unexpected issues. In +particular, to avoid the issues described by (3), (4), & (5). + +There are also some generic security questions which are worth asking: + +1) Is guest->host privilege escalation possible? + +The new live patching sysctl subops are only accessible to privileged +domains and this is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce a guest->host +privilege escalation. + +2) Is guest user->guest kernel escalation possible? + +No, although an incorrect live patch can introduce a guest user->guest +kernel privilege escalation. + +3) Is there any information leakage? + +The new live patching sysctl subops are only accessible to privileged +domains so it is not possible for an unprivileged guest to access the +list of loaded live patches. This is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce an +information leakage. + +4) Can a Denial-of-Service be triggered? + +There are no known ways that an unprivileged guest can prevent a live +patch from being loaded. +Once again, there is a caveat that an incorrect live patch can introduce +an arbitrary denial of service. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index dc8e876439..e9bb849298 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -226,8 +226,8 @@ config CRYPTO bool config LIVEPATCH - bool "Live patching support (TECH PREVIEW)" - default n + bool "Live patching support" + default X86 depends on HAS_BUILD_ID = "y" ---help--- Allows a running Xen hypervisor to be dynamically patched using