From patchwork Wed Sep 20 22:31:48 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Konrad Rzeszutek Wilk X-Patchwork-Id: 9962707 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 856096056A for ; Wed, 20 Sep 2017 22:34:46 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7707D2926F for ; Wed, 20 Sep 2017 22:34:46 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6BEA729276; Wed, 20 Sep 2017 22:34:46 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 4555F29272 for ; Wed, 20 Sep 2017 22:34:43 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dunXY-0007ON-S6; Wed, 20 Sep 2017 22:32:20 +0000 Received: from mail6.bemta6.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dunXY-0007N3-04 for xen-devel@lists.xenproject.org; Wed, 20 Sep 2017 22:32:20 +0000 Received: from [193.109.254.147] by server-2.bemta-6.messagelabs.com id 75/AB-00676-37CE2C95; Wed, 20 Sep 2017 22:32:19 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrFIsWRWlGSWpSXmKPExsVyMfTOJt38N4c iDZ5/t7T4vmUykwOjx+EPV1gCGKNYM/OS8isSWDPWTF7MVvBFu+JZ33uWBsbpKl2MXBxCAjMZ JbavWMLUxcjJwSLwgUVi8fIcEFtCYBqrxM0ltRB2lsTtzw1sEHaaxJoPM1kg7AqJ73vesYLYQ gJKElsmP2aEGHqISWLP5f9gDcICehKTv91mBLHZBPQlnq69xtzFyAHU7Cbx6RoXSL2IQDujxO wrv1hB4swCsRJfvopCtAZKvG7dzAJxm6pE0/qlYCN5BWwk/q6fzgxxg7zExN5pYOM5geL7P3U yQ9xjLfFk62m2CYzCCxgZVjFqFKcWlaUW6RoZ6iUVZaZnlOQmZuboGhqY6eWmFhcnpqfmJCYV 6yXn525iBIYnAxDsYPyzLOAQoyQHk5Ior/XLQ5FCfEn5KZUZicUZ8UWlOanFhxhlODiUJHh/v QLKCRalpqdWpGXmACMFJi3BwaMkwrsAJM1bXJCYW5yZDpE6xejKceHOpT9MHAf23AKSHTfvAs lNYHLD9wd/mIRY8vLzUqXEeb+CNAuANGeU5sGNhkX5JUZZKWFeRqBjhXgKUotyM0tQ5V8xinM wKgnzCr4GmsKTmVcCd8EroOOYgI7L3nAA5LiSRISUVAPjIsG41fM/L1JrslP98HFb6MaGtDLe pRqJU9Iaa5bOeDMrfnvWSp8m/c4DVV+SHTZEWP7KaZ9Re1Z6yvGo5HvqAoJXZRv2sB2wELh8e /HfoPA3N96Uf2BtP2x+0qx0l1AS+xLv3sID78RPOJ8q81NXP8L5XSeDlzfh1K0p7bc3OE9Tk7 797uwRJZbijERDLeai4kQASese/+0CAAA= X-Env-Sender: ketuzsezr@gmail.com X-Msg-Ref: server-6.tower-27.messagelabs.com!1505946735!117938033!1 X-Originating-IP: [209.85.220.178] X-SpamReason: No, hits=0.5 required=7.0 tests=BODY_RANDOM_LONG X-StarScan-Received: X-StarScan-Version: 9.4.45; banners=-,-,- X-VirusChecked: Checked Received: (qmail 64785 invoked from network); 20 Sep 2017 22:32:15 -0000 Received: from mail-qk0-f178.google.com (HELO mail-qk0-f178.google.com) (209.85.220.178) by server-6.tower-27.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 20 Sep 2017 22:32:15 -0000 Received: by mail-qk0-f178.google.com with SMTP id r141so4205167qke.2 for ; Wed, 20 Sep 2017 15:32:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id:in-reply-to:references; bh=g7C91+c4mSO5cWJ4Z83xkRSybB4iI7PiDNCB8PhD6xE=; b=mYsCdm4nAOdq5ybuDGT8+cAfTNaAnD0DEgS+Jv/90d/dvOEy6gzGW0J8ASq2WEE77X ZpgaGKANa2KEgjfnz0EkI7DaWm+Y4ekRBnOU3Z8AHhImg/NmtuBoWpgJzShD87SWvLiX 9YHGnz9tYsL42m/NDU8HVl4iA9y12la/uzC1GnDoTFNePzviUUE5IEuI+mdv4pA97ih2 +kDc+r/36ek3A1kwsOB82TdfrzekgPMS45v45fiA9n2QLq9q2w9BBqytZSdlUb8/5dQO lKx5f1r6DFHk03LuJSmYgdQOJXTLESRJ49MylnMvlHWsZZif3xg2AmdEbspoG0CVJl6N aekA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id :in-reply-to:references; bh=g7C91+c4mSO5cWJ4Z83xkRSybB4iI7PiDNCB8PhD6xE=; b=cQqJWsyS/u1hRmBKezdOR6z9J7mnoD7DV/7Q6lYObyf3MGKkQRPweEy3VgTN0FjndL f7ZQQj9o8IlMKY2TKxvyzVC2p60GgKAhwXxoSmUxWinTqZPpVrJZRa/NQ3qZsZQRw1xH Dmqhuv+PrKyEna0q7OE5l+C7O3a8PFHkZdyqQWZWqsjLlOa4ytk8/T9hu7Ayos+zRjwQ Gu5cJ7f3jajpL9jgxUskVA2fGNDLGegLbuV/ydXH1IQI8h+LXEdqdli85E+0hPNtG6Jo F3sYs61st1OFroWfZaqtvMKykHUcQZo4MFQoXvJK9KPLFQ14MoZnroG8dUbqLvj5llqF wWJA== X-Gm-Message-State: AHPjjUiXDyIOoYfp/8++ogR02lFtR88HJqmE+eGO6g7of2hT/zJ14Hga HiaoGj37J21+cDYUT+wCeQKiXw== X-Google-Smtp-Source: AOwi7QCwPxDwJbRfv6j22pLTFCYeTQHQ6HcY9RM1uYjOudhL7FHqMbzSZjNn6gPwp2HJEBKYDIup7g== X-Received: by 10.55.102.13 with SMTP id a13mr347525qkc.320.1505946734466; Wed, 20 Sep 2017 15:32:14 -0700 (PDT) Received: from localhost.localdomain (209-6-200-48.s4398.c3-0.smr-ubr2.sbo-smr.ma.cable.rcncustomer.com. [209.6.200.48]) by smtp.gmail.com with ESMTPSA id z192sm2012656qka.91.2017.09.20.15.32.13 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Sep 2017 15:32:13 -0700 (PDT) From: Konrad Rzeszutek Wilk X-Google-Original-From: Konrad Rzeszutek Wilk To: xen-devel@lists.xenproject.org, ross.lagerwall@citrix.com, konrad.wilk@oracle.com, julien.grall@arm.com, sstabellini@kernel.org Date: Wed, 20 Sep 2017 18:31:48 -0400 Message-Id: <20170920223148.13137-12-konrad.wilk@oracle.com> X-Mailer: git-send-email 2.13.3 In-Reply-To: <20170920223148.13137-1-konrad.wilk@oracle.com> References: <20170920223148.13137-1-konrad.wilk@oracle.com> Cc: andrew.cooper3@citrix.com, jbeulich@suse.com, Konrad Rzeszutek Wilk Subject: [Xen-devel] [PATCH v4 11/11] livepatch: Declare live patching as a supported feature X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP From: Ross Lagerwall See docs/features/livepatch.pandoc for the details. Reviewed-by: Jan Beulich Signed-off-by: Ross Lagerwall Signed-off-by: Konrad Rzeszutek Wilk --- v2: - Moved it into a feature document. - Clarified a few bits and pieces based on feedback. v3: - default X86 - added Jan's Reviewed-by - Added tech preview for ARM. - Cut down the 3) paragraph per George's input --- docs/features/livepatch.pandoc | 106 +++++++++++++++++++++++++++++++++++++++++ xen/common/Kconfig | 4 +- 2 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 docs/features/livepatch.pandoc diff --git a/docs/features/livepatch.pandoc b/docs/features/livepatch.pandoc new file mode 100644 index 0000000000..17f1cd0d05 --- /dev/null +++ b/docs/features/livepatch.pandoc @@ -0,0 +1,106 @@ +% Live Patching +% Revision 1 + +\clearpage + +# Basics + +---------------- ---------------------------------------------------- + Status: **Supported** + + Architecture: x86 + + Status: **Tech Preview/Experimental** + + Architecture: ARM + + Component: Hypervisor, toolstack +---------------- ---------------------------------------------------- + + +# Details + +Xen Live Patching has been available as tech preview feature since Xen +4.7 and has now had a couple of releases to stabilize. Xen Live patching +has been used by multiple vendors to fix several real-world security +issues without any severe bugs encountered. Additionally, there are now +tests in OSSTest that test live patching to ensure that no regressions +are introduced. + +Based on the amount of testing and usage it has had, we are ready to +declare live patching as a 'Supported' feature on x86. + +Live patching is slightly peculiar when it comes to support because it +allows the host administrator to break their system rather easily +depending on the content of the live patch. Because of this, it is +worth detailing the scope of security support: + +1) Unprivileged access to live patching operations: + Live patching operations should only be accessible to privileged + guests and it shall be treated as a security issue if this is not + the case. + +2) Bugs in the patch-application code such that vulnerabilities exist + after application: + If a correct live patch is loaded but it is not applied correctly + such that it might result in an insecure system (e.g. not all + functions are patched), it shall be treated as a security issue. + +3) Bugs in livepatch-build-tools creating an incorrect live patch that + results in an insecure host: + If livepatch-build-tools creates an incorrect live patch that + results in an insecure host, this shall not be considered a security + issue. A live patch should be checked to verify that it is valid + before loading. + +4) Loading an incorrect live patch that results in an insecure host or + host crash: + If a live patch (whether created using livepatch-build-tools or some + alternative) is loaded and it results in an insecure host or host + crash due to the content of the live patch being incorrect or the + issue being inappropriate to live patch, this is not considered as a + security issue. + +5) Bugs in the live patch parsing code (the ELF loader): + Bugs in the live patch parsing code such as out-of-bounds reads + caused by invalid ELF files are not considered to be security issues + because the it can only be triggered by a privileged domain. + +6) Bugs which allow a guest to prevent the application of a livepatch: + A guest should not be able to prevent the application of a live + patch. If an unprivileged guest can somehow prevent the application + of a live patch despite pausing it (xl pause ...), it shall be + treated as a security issue. + +Note: It is expected that live patches are tested in a test environment +before being used in production to avoid unexpected issues. In +particular, to avoid the issues described by (3), (4), & (5). + +There are also some generic security questions which are worth asking: + +1) Is guest->host privilege escalation possible? + +The new live patching sysctl subops are only accessible to privileged +domains and this is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce a guest->host +privilege escalation. + +2) Is guest user->guest kernel escalation possible? + +No, although an incorrect live patch can introduce a guest user->guest +kernel privilege escalation. + +3) Is there any information leakage? + +The new live patching sysctl subops are only accessible to privileged +domains so it is not possible for an unprivileged guest to access the +list of loaded live patches. This is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce an +information leakage. + +4) Can a Denial-of-Service be triggered? + +There are no known ways that an unprivileged guest can prevent a live +patch from being loaded. +Once again, there is a caveat that an incorrect live patch can introduce +an arbitrary denial of service. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index dc8e876439..e9bb849298 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -226,8 +226,8 @@ config CRYPTO bool config LIVEPATCH - bool "Live patching support (TECH PREVIEW)" - default n + bool "Live patching support" + default X86 depends on HAS_BUILD_ID = "y" ---help--- Allows a running Xen hypervisor to be dynamically patched using