From patchwork Mon Jul 3 14:54:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Lagerwall X-Patchwork-Id: 9823483 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A59EB60246 for ; Mon, 3 Jul 2017 14:57:06 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 968692823D for ; Mon, 3 Jul 2017 14:57:06 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8AB6D284F7; Mon, 3 Jul 2017 14:57:06 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id BC47A2823D for ; Mon, 3 Jul 2017 14:57:05 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dS2kT-0002qQ-22; Mon, 03 Jul 2017 14:54:49 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1dS2kS-0002qE-2j for xen-devel@lists.xen.org; Mon, 03 Jul 2017 14:54:48 +0000 Received: from [85.158.137.68] by server-13.bemta-3.messagelabs.com id 6F/75-01862-7BA5A595; Mon, 03 Jul 2017 14:54:47 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgkeJIrShJLcpLzFFi42JxWrrBXndbVFS kwYtLGhZLPi5mcWD0OLr7N1MAYxRrZl5SfkUCa8asu31sBcu1Khad28HSwPhJqYuRk0NCwF/i +Nb5TCA2m4CBxK1L35lBbBEBWYnVXXPYuxi5OJgFpjJL3Pl/FaxIWMBb4u7S94wgNouAisSBk w9YQGxeATuJSwc/skMMlZNYuv062CAhATWJt8vPQNUISpyc+QTMZhaQkDj44gXzBEbuWUhSs5 CkFjAyrWLUKE4tKkst0jUy1UsqykzPKMlNzMzRNTQw1stNLS5OTE/NSUwq1kvOz93ECAyHegY Gxh2MrSf8DjFKcjApifK63oyMFOJLyk+pzEgszogvKs1JLT7EKMPBoSTB+zgyKlJIsCg1PbUi LTMHGJgwaQkOHiUR3i2GQGne4oLE3OLMdIjUKUZjjlUzf35j4ng14f83JiGWvPy8VClx3k0gk wRASjNK8+AGwSLmEqOslDAvIwMDgxBPQWpRbmYJqvwrRnEORiVhXtUIoCk8mXklcPteAZ3CBH RKQ08EyCkliQgpqQbG/Hjr0ABuA5vv124fvtN+QnQnp4BL/i1tHWGpw9od4kUtniLJCkZHJZw nPzPZpvmteXLepoPzlb9FZKcULUm/b7d6/+mnXzeLc7166n8w5X312tv6OlyGZ5yak47uPppq ohrYYfrmJkt3m8fk++nbc5lVNNZmNmvwCEs/K11esYwhqu5OMKMSS3FGoqEWc1FxIgDk21ZGk wIAAA== X-Env-Sender: prvs=350516091=ross.lagerwall@citrix.com X-Msg-Ref: server-6.tower-31.messagelabs.com!1499093684!65165609!1 X-Originating-IP: [66.165.176.63] X-SpamReason: No, hits=0.0 required=7.0 tests=sa_preprocessor: VHJ1c3RlZCBJUDogNjYuMTY1LjE3Ni42MyA9PiAzMDYwNDg=\n, received_headers: No Received headers X-StarScan-Received: X-StarScan-Version: 9.4.19; banners=-,-,- X-VirusChecked: Checked Received: (qmail 32079 invoked from network); 3 Jul 2017 14:54:46 -0000 Received: from smtp02.citrix.com (HELO SMTP02.CITRIX.COM) (66.165.176.63) by server-6.tower-31.messagelabs.com with RC4-SHA encrypted SMTP; 3 Jul 2017 14:54:46 -0000 X-IronPort-AV: E=Sophos;i="5.40,303,1496102400"; d="scan'208";a="438674474" From: Ross Lagerwall To: Date: Mon, 3 Jul 2017 15:54:15 +0100 Message-ID: <20170703145415.21184-1-ross.lagerwall@citrix.com> X-Mailer: git-send-email 2.9.4 MIME-Version: 1.0 Cc: Lars Kurth , Stefano Stabellini , George Dunlap , Andrew Cooper , Wei Liu , Ian Jackson , Ross Lagerwall , Julien Grall , Jan Beulich Subject: [Xen-devel] [PATCH v3] livepatch: Declare live patching as a supported feature X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Virus-Scanned: ClamAV using ClamSMTP See docs/features/livepatch.pandoc for the details. Turn live patching on by default on supported platforms (x86). Signed-off-by: Ross Lagerwall Reviewed-by: Konrad Rzeszutek Wilk --- Changed in v3: Default to on for supported platforms (X86). docs/features/livepatch.pandoc | 103 +++++++++++++++++++++++++++++++++++++++++ xen/common/Kconfig | 4 +- 2 files changed, 105 insertions(+), 2 deletions(-) create mode 100644 docs/features/livepatch.pandoc diff --git a/docs/features/livepatch.pandoc b/docs/features/livepatch.pandoc new file mode 100644 index 0000000..faaf2d1 --- /dev/null +++ b/docs/features/livepatch.pandoc @@ -0,0 +1,103 @@ +% Live Patching +% Revision 1 + +\clearpage + +# Basics + +---------------- ---------------------------------------------------- + Status: **Supported** + + Architecture: x86 + + Component: Hypervisor, toolstack +---------------- ---------------------------------------------------- + + +# Details + +Xen Live Patching has been available as tech preview feature since Xen +4.7 and has now had a couple of releases to stabilize. Xen Live patching +has been used by multiple vendors to fix several real-world security +issues without any severe bugs encountered. Additionally, there are now +tests in OSSTest that test live patching to ensure that no regressions +are introduced. + +Based on the amount of testing and usage it has had, we are ready to +declare live patching as a 'Supported' feature on x86. + +Live patching is slightly peculiar when it comes to support because it +allows the host administrator to break their system rather easily +depending on the content of the live patch. Because of this, it is +worth detailing the scope of security support: + +1) Unprivileged access to live patching operations: + Live patching operations should only be accessible to privileged + guests and it shall be treated as a security issue if this is not + the case. + +2) Bugs in the patch-application code such that vulnerabilities exist + after application: + If a correct live patch is loaded but it is not applied correctly + such that it might result in an insecure system (e.g. not all + functions are patched), it shall be treated as a security issue. + +3) Bugs in livepatch-build-tools creating an incorrect live patch that + results in an insecure host: + If livepatch-build-tools creates an incorrect live patch that + results in an insecure host, this shall not be considered a security + issue. There are too many OSes and toolchains to consider supporting + this. A live patch should be checked to verify that it is valid + before loading. + +4) Loading an incorrect live patch that results in an insecure host or + host crash: + If a live patch (whether created using livepatch-build-tools or some + alternative) is loaded and it results in an insecure host or host + crash due to the content of the live patch being incorrect or the + issue being inappropriate to live patch, this is not considered as a + security issue. + +5) Bugs in the live patch parsing code (the ELF loader): + Bugs in the live patch parsing code such as out-of-bounds reads + caused by invalid ELF files are not considered to be security issues + because the it can only be triggered by a privileged domain. + +6) Bugs which allow a guest to prevent the application of a livepatch: + A guest should not be able to prevent the application of a live + patch. If an unprivileged guest can somehow prevent the application + of a live patch despite pausing it (xl pause ...), it shall be + treated as a security issue. + +Note: It is expected that live patches are tested in a test environment +before being used in production to avoid unexpected issues. In +particular, to avoid the issues described by (3), (4), & (5). + +There are also some generic security questions which are worth asking: + +1) Is guest->host privilege escalation possible? + +The new live patching sysctl subops are only accessible to privileged +domains and this is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce a guest->host +privilege escalation. + +2) Is guest user->guest kernel escalation possible? + +No, although an incorrect live patch can introduce a guest user->guest +kernel privilege escalation. + +3) Is there any information leakage? + +The new live patching sysctl subops are only accessible to privileged +domains so it is not possible for an unprivileged guest to access the +list of loaded live patches. This is tested by OSSTest with an XTF test. +There is a caveat -- an incorrect live patch can introduce an +information leakage. + +4) Can a Denial-of-Service be triggered? + +There are no known ways that an unprivileged guest can prevent a live +patch from being loaded. +Once again, there is a caveat that an incorrect live patch can introduce +an arbitrary denial of service. diff --git a/xen/common/Kconfig b/xen/common/Kconfig index dc8e876..e9bb849 100644 --- a/xen/common/Kconfig +++ b/xen/common/Kconfig @@ -226,8 +226,8 @@ config CRYPTO bool config LIVEPATCH - bool "Live patching support (TECH PREVIEW)" - default n + bool "Live patching support" + default X86 depends on HAS_BUILD_ID = "y" ---help--- Allows a running Xen hypervisor to be dynamically patched using