This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] RAM security

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] RAM security
From: Felix Kuperjans <felix@xxxxxxxxxxxxxxxxxx>
Date: Mon, 06 Dec 2010 18:20:47 +0100
Delivery-date: Mon, 06 Dec 2010 09:21:59 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <46C13AA90DB8844DAB79680243857F0F0AFF44@xxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <46C13AA90DB8844DAB79680243857F0F0AFF44@xxxxxxxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101105 Thunderbird/3.1.6
If you enable the "Scrub RAM before freeing it to XEN" in your DomU kernel, it is always overwritten with (I assume random) data before the pages are returned to the pool of free memory. This should also apply on memory freed by shrinking operations (xm mem-set ...) and of course on DomU shutdown.

You should always enable this option, because cryptographic keys, private data etc. would rest in XEN's memory until either another DomU gets it (and can read that) or the Dom0 shuts down (reboot sometimes even preserves RAM, but the hypervisor is scrubbing all RAM which is not assigned to the Dom0, to prevent readable traces after hard resets etc.).

With correct kernel configuration, the DomU memory should be totally safe.

Am 06.12.2010 11:17, schrieb Jonathan Tripathy:

Hi Everyone,

In Xen, is a DomU able to access data in RAM which a previous DomU has stored in the past, but didn't "zero" it?

I understand that this is a problem with physical disks (using phy:/), just wondering if the same stands with RAM


_______________________________________________ Xen-users mailing list Xen-users@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-users
Xen-users mailing list
<Prev in Thread] Current Thread [Next in Thread>