[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator

To: "JBeulich@xxxxxxxx" <JBeulich@xxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>
From: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>
Date: Mon, 1 Oct 2018 14:11:54 +0000
Accept-language: en-GB, en-US
Cc: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>, "Tim \(Xen.org\)" <tim@xxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>, "julien.grall@xxxxxxx" <julien.grall@xxxxxxx>, "boris.ostrovsky@xxxxxxxxxx" <boris.ostrovsky@xxxxxxxxxx>
Delivery-date: Mon, 01 Oct 2018 14:13:38 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
Thread-index: AQHUWW1KY8ZEFh35qkqDwmC1A9MqYaUKGx2AgAAhdICAAAcQAIAACWYA
Thread-topic: [PATCH] mm/page_alloc: always scrub pages given to the allocator

On Mon, 2018-10-01 at 07:38 -0600, Jan Beulich wrote:
> > > > On 01.10.18 at 15:12, <andrew.cooper3@xxxxxxxxxx> wrote:
> > 
> > On 01/10/18 12:13, Jan Beulich wrote:
> > > > > > On 01.10.18 at 11:58, <sergey.dyasli@xxxxxxxxxx> wrote:
> > > > 
> > > > Having the allocator return unscrubbed pages is a potential security
> > > > concern: some domain can be given pages with memory contents of another
> > > > domain. This may happen, for example, if a domain voluntarily releases
> > > > its own memory (ballooning being the easiest way for doing this).
> > > 
> > > And we've always said that in this case it's the domain's responsibility
> > > to scrub the memory of secrets it cares about. Therefore I'm at the
> > > very least missing some background on this change of expectations.
> > 
> > You were on the call when this was discussed, along with the synchronous
> > scrubbing in destroydomain.
> 
> Quite possible, but it has been a while.
> 
> > Put simply, the current behaviour is not good enough for a number of
> > security sensitive usecases.
> 
> Well, I'm looking forward for Sergey to expand on this in the commit
> message.

Jan,

I think this is the main argument here: what to do about those security
sensitive use cases? Scrubbing everything unconditionally might be a too
radical approach. Would inroducing a new cmdline param be appropriate?

> 
> > The main reason however for doing this is the optimisations it enables,
> > and in particular, not double scrubbing most of our pages.
> 
> Well, wait - scrubbing != zeroing (taking into account also what you
> say further down).

Andrew,

I'm not yet convinced myself about the value that returning always zeroed
pages from the allocator provides. Most of the pages are given to guests
anyway, and re-zeroing a few pages in the hypervisor doesn't sound
too bad. But maybe I'm just not aware of cases where Xen performs large
allocations and zeroes them afterwards?

-- 
Thanks,
Sergey
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

Follow-Ups:
- Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
  - From: Jan Beulich

References:
- [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
  - From: Sergey Dyasli
- Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
  - From: Jan Beulich
- Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
  - From: Andrew Cooper
- Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
  - From: Jan Beulich

Prev by Date: Re: [Xen-devel] [PATCH v2] xen/vsprintf: Introduce %pd formatter for domains
Next by Date: Re: [Xen-devel] [PATCH v9] new config option vtsc_tolerance_khz to avoid TSC emulation
Previous by thread: Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
Next by thread: Re: [Xen-devel] [PATCH] mm/page_alloc: always scrub pages given to the allocator
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.