Xen project Mailing List

Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests

From: George Dunlap <george.dunlap@xxxxxxxxxx>

Date: Mon, 13 Jan 2020 12:51:30 +0000

Authentication-results: esa4.hc3370-68.iphmx.com; dkim=none (message not signed) header.i=none; spf=None smtp.pra=george.dunlap@xxxxxxxxxx; spf=Pass smtp.mailfrom=George.Dunlap@xxxxxxxxxx; spf=None smtp.helo=postmaster@xxxxxxxxxxxxxxx

Autocrypt: addr=george.dunlap@xxxxxxxxxx; prefer-encrypt=mutual; keydata= mQINBFPqG+MBEACwPYTQpHepyshcufo0dVmqxDo917iWPslB8lauFxVf4WZtGvQSsKStHJSj 92Qkxp4CH2DwudI8qpVbnWCXsZxodDWac9c3PordLwz5/XL41LevEoM3NWRm5TNgJ3ckPA+J K5OfSK04QtmwSHFP3G/SXDJpGs+oDJgASta2AOl9vPV+t3xG6xyfa2NMGn9wmEvvVMD44Z7R W3RhZPn/NEZ5gaJhIUMgTChGwwWDOX0YPY19vcy5fT4bTIxvoZsLOkLSGoZb/jHIzkAAznug Q7PPeZJ1kXpbW9EHHaUHiCD9C87dMyty0N3TmWfp0VvBCaw32yFtM9jUgB7UVneoZUMUKeHA fgIXhJ7I7JFmw3J0PjGLxCLHf2Q5JOD8jeEXpdxugqF7B/fWYYmyIgwKutiGZeoPhl9c/7RE Bf6f9Qv4AtQoJwtLw6+5pDXsTD5q/GwhPjt7ohF7aQZTMMHhZuS52/izKhDzIufl6uiqUBge 0lqG+/ViLKwCkxHDREuSUTtfjRc9/AoAt2V2HOfgKORSCjFC1eI0+8UMxlfdq2z1AAchinU0 eSkRpX2An3CPEjgGFmu2Je4a/R/Kd6nGU8AFaE8ta0oq5BSFDRYdcKchw4TSxetkG6iUtqOO ZFS7VAdF00eqFJNQpi6IUQryhnrOByw+zSobqlOPUO7XC5fjnwARAQABtCRHZW9yZ2UgVy4g RHVubGFwIDxkdW5sYXBnQHVtaWNoLmVkdT6JAlcEEwEKAEECGwMFCwkIBwMFFQoJCAsFFgID AQACHgECF4ACGQEWIQTXqBy2bTNXPzpOYFimNjwxBZC0bQUCXEowWQUJDCJ7dgAKCRCmNjwx BZC0beKvEACJ75YlJXd7TnNHgFyiCJkm/qPeoQ3sFGSDZuZh7SKcdt9+3V2bFEb0Mii1hQaz 3hRqZb8sYPHJrGP0ljK09k3wf8k3OuNxziLQBJyzvn7WNlE4wBEcy/Ejo9TVBdA4ph5D0YaZ nqdsPmxe/xlTFuSkgu4ep1v9dfVP1TQR0e+JIBa/Ss+cKC5intKm+8JxpOploAHuzaPu0L/X FapzsIXqgT9eIQeBEgO2hge6h9Jov3WeED/vh8kA7f8c6zQ/gs5E7VGALwsiLrhr0LZFcKcw kI3oCCrB/C/wyPZv789Ra8EXbeRSJmTjcnBwHRPjnjwQmetRDD1t+VyrkC6uujT5jmgOBzaj KCqZ8PcMAssOzdzQtKmjUQ2b3ICPs2X13xZ5M5/OVs1W3TG5gkvMh4YoHi4ilFnOk+v3/j7q 65FG6N0JLb94Ndi80HkIOQQ1XVGTyu6bUPaBg3rWK91Csp1682kD/dNVF3FKHrRLmSVtmEQR 5rK0+VGc/FmR6vd4haKGWIRuPxzg+pBR77avIZpU7C7+UXGuZ5CbHwIdY8LojJg2TuUdqaVj yxmEZLOA8rVHipCGrslRNthVbJrGN/pqtKjCClFZHIAYJQ9EGLHXLG9Pj76opfjHij3MpR3o pCGAh6KsCrfrsvjnpDwqSbngGyEVH030irSk4SwIqZ7FwLkBDQRUWmc6AQgAzpc8Ng5Opbrh iZrn69Xr3js28p+b4a+0BOvC48NfrNovZw4eFeKIzmI/t6EkJkSqBIxobWRpBkwGweENsqnd 0qigmsDw4N7J9Xx0h9ARDqiWxX4jr7u9xauI+CRJ1rBNO3VV30QdACwQ4LqhR/WA+IjdhyMH wj3EJGE61NdP/h0zfaLYAbvEg47/TPThFsm4m8Rd6bX7RkrrOgBbL/AOnYOMEivyfZZKX1vv iEemAvLfdk2lZt7Vm6X/fbKbV8tPUuZELzNedJvTTBS3/l1FVz9OUcLDeWhGEdlxqXH0sYWh E9+PXTAfz5JxKH+LMetwEM8DbuOoDIpmIGZKrZ+2fQARAQABiQNbBBgBCgAmAhsCFiEE16gc tm0zVz86TmBYpjY8MQWQtG0FAlxKMJ4FCQnQ/OQBKcBdIAQZAQoABgUCVFpnOgAKCRCyFcen x4Qb7cXrCAC0qQeEWmLa9oEAPa+5U6wvG1t/mi22gZN6uzQXH1faIOoDehr7PPESE6tuR/vI CTTnaSrd4UDPNeqOqVF07YexWD1LDcQG6PnRqC5DIX1RGE3BaSaMl2pFJP8y+chews11yP8G DBbxaIsTcHZI1iVIC9XLhoeegWi84vYc8F4ziADVfowbmbvcVw11gE8tmALCwTeBeZVteXjh 0OELHwrc1/4j4yvENjIXRO+QLIgk43kB57Upr4tP2MEcs0odgPM+Q+oETOJ00xzLgkTnLPim C1FIW2bOZdTj+Uq6ezRS2LKsNmW+PRRvNyA5ojEbA/faxmAjMZtLdSSSeFK8y4SoCRCmNjwx BZC0bevWEACRu+GyQgrdGmorUptniIeO1jQlpTiP5WpVnk9Oe8SiLoXUhXXNj6EtzyLGpYmf kEAbki+S6WAKnzZd3shL58AuMyDxtFNNjNeKJOcl6FL7JPBIIgIp3wR401Ep+/s5pl3Nw8Ii 157f0T7o8CPb54w6S1WsMkU78WzTxIs/1lLblSMcvyz1Jq64g4OqiWI85JfkzPLlloVf1rzy ebIBLrrmjhCE2tL1RONpE/KRVb+Q+PIs5+YcZ+Q1e0vXWA7NhTWFbWx3+N6WW6gaGpbFbopo FkYRpj+2TA5cX5zW148/xU5/ATEb5vdUkFLUFVy5YNUSyeBHuaf6fGmBrDc47rQjAOt1rmyD 56MUBHpLUbvA6NkPezb7T6bQpupyzGRkMUmSwHiLyQNJQhVe+9NiJJvtEE3jol0JVJoQ9WVn FAzPNCgHQyvbsIF3gYkCYKI0w8EhEoH5FHYLoKS6Jg880IY5rXzoAEfPvLXegy6mhYl+mNVN QUBD4h9XtOvcdzR559lZuC0Ksy7Xqw3BMolmKsRO3gWKhXSna3zKl4UuheyZtubVWoNWP/bn vbyiYnLwuiKDfNAinEWERC8nPKlv3PkZw5d3t46F1Dx0TMf16NmP+azsRpnMZyzpY8BL2eur feSGAOB9qjZNyzbo5nEKHldKWCKE7Ye0EPEjECS1gjKDwbkBDQRUWrq9AQgA7aJ0i1pQSmUR 6ZXZD2YEDxia2ByR0uZoTS7N0NYv1OjU8v6p017u0Fco5+Qoju/fZ97ScHhp5xGVAk5kxZBF DT4ovJd0nIeSr3bbWwfNzGx1waztfdzXt6n3MBKr7AhioB1m+vuk31redUdnhbtvN7O40MC+ fgSk5/+jRGxY3IOVPooQKzUO7M51GoOg4wl9ia3H2EzOoGhN2vpTbT8qCcL92ZZZwkBRldoA Wn7c1hEKSTuT3f1VpSmhjnX0J4uvKZ1V2R7rooKJYFBcySC0wa8aTmAtAvLgfcpe+legOtgq DKzLuN45xzEjyjCiI521t8zxNMPJY9FiCPNv0sCkDwARAQABiQI8BBgBCgAmAhsMFiEE16gc tm0zVz86TmBYpjY8MQWQtG0FAlxKNJYFCQnQrVkACgkQpjY8MQWQtG2Xxg//RrRP+PFYuNXt 9C5hec/JoY24TkGPPd2tMC9usWZVImIk7VlHlAeqHeE0lWU0LRGIvOBITbS9izw6fOVQBvCA Fni56S12fKLusWgWhgu03toT9ZGxZ9W22yfw5uThSHQ4y09wRWAIYvhJsKnPGGC2KDxFvtz5 4pYYNe8Icy4bwsxcgbaSFaRh+mYtts6wE9VzyJvyfTqbe8VrvE+3InG5rrlNn51AO6M4Wv20 iFEgYanJXfhicl0WCQrHyTLfdB5p1w+072CL8uryHQVfD0FcDe+J/wl3bmYze+aD1SlPzFoI MaSIXKejC6oh6DAT4rvU8kMAbX90T834Mvbc3jplaWorNJEwjAH/r+v877AI9Vsmptis+rni JwUissjRbcdlkKBisoUZRPmxQeUifxUpqgulZcYwbEC/a49+WvbaYUriaDLHzg9xisijHwD2 yWV8igBeg+cmwnk0mPz8tIVvwi4lICAgXob7HZiaqKnwaDXs4LiS4vdG5s/ElnE3rIc87yru 24n3ypeDZ6f5LkdqL1UNp5/0Aqbr3EiN7/ina4YVyscy9754l944kyHnnMRLVykg0v+kakj0 h0RJ5LbfLAMM8M52KIA3y14g0Fb7kHLcOUMVcgfQ3PrN6chtC+5l6ouDIlSLR3toxH8Aam7E rIFfe2Dk+lD9A9BVd2rfoHA=

Cc: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Julien Grall <julien@xxxxxxx>, Wei Liu <wl@xxxxxxx>, Konrad Rzeszutek Wilk <konrad.wilk@xxxxxxxxxx>, Andrew Cooper <Andrew.Cooper3@xxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>, Ian Jackson <Ian.Jackson@xxxxxxxxxx>, Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>

Delivery-date: Mon, 13 Jan 2020 12:52:15 +0000

Ironport-sdr: 7V2ziP2rPsKC1AeZdOTLCONVlfFCmjPAy41I4K2hj6OZtB3eYWsKrYsXmXJSHrLBVRe8DBNnvO I8N4qaFIM4Niu8T7hx8Ixou6XOfQvHXbxM2bxLC/URvoHyHjvsviz/R03BvSZTrYfJL6V8ZOA1 teABgd9S2FWvISWkIT1wyKZ455fd8cCFIXBW+efaCKKa2ZMFrXI4vC2VM/s22f65uvINH3N9UL zojvvhcOYPReiA9fffqT2dnYhJ2EKZDKYG+vXy5sn6fgGoDd7dHlmjEiFbBQirjhPjnVGcL0sY QBA=

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Openpgp: preference=signencrypt

On 1/12/20 6:26 PM, Doug Goldstein wrote: > On 1/11/20 3:02 AM, George Dunlap wrote: >> >> >>> On Jan 11, 2020, at 4:02 AM, Doug Goldstein <cardoe@xxxxxxxxxx> wrote: >>> >>> >>> >>> On 1/10/20 4:37 AM, Sergey Dyasli wrote: >>>> Hide the following information that can help identify the running Xen >>>> binary version: XENVER_extraversion, XENVER_compile_info, >>>> XENVER_changeset. >>>> Add explicit cases for XENVER_commandline and XENVER_build_id as well. >>>> Introduce xsm_filter_denied() to hvmloader to remove "<denied>" string >>>> from guest's DMI tables that otherwise would be shown in tools like >>>> dmidecode. >>>> Signed-off-by: Sergey Dyasli <sergey.dyasli@xxxxxxxxxx> >>>> --- >>>> v1 --> v2: >>>> - Added xsm_filter_denied() to hvmloader instead of modifying >>>> xen_deny() >>> >>> So 100% this version of the patch won't fly with the various >>> downstreams that run the v1 of this patch. Those various consumers >>> will stick with v1. >>> >>> If the goal of this is to reduce the burden of the downstreams and >>> their customers to carry a patch against Xen then I wouldn't even >>> bother with this version. >> >> If the goal is to come up with a solution that works for everyone, it >> would be helpful if you said *why* “various consumers” would find this >> patch unacceptable; and also what they might think about the alternate >> solutions proposed (and why). >> >> -George >> > [snip] > Now I know someone is going to read this and say "Look at Doug and him > advocating for security through obscurity". FWIW I'd be the first person to contradict them, and say you were practicing "defense in depth". :-) > Ultimately my point is if the goal of this patch is to upstream a patch > that's carried by various downstreams, why not actually listen to what > caused them to write the patch? Right, that's what I'm trying to do; but I don't seem to be making much progress. Here's my summary of the situation and arguments so far: 1. The xen_version hypercall can return strings for a number of different values, including XENVER_extraversion, which gives the point release and build id. 2. The XSM dummy module has code to filter which of these are allowed for unprivileged guests. When access to a given value is filtered, no error is returned; rather, the string "<denied>" is returned. 3. Knowledge about the specific instantiation of Xen on which they are running makes it easier for attackers to know how to attack t he system; the XENVER_extraversion provides little value to legitimate users, but a lot of value to attackers. As a defense-in-depth measure, it's important to be able to hide this information. 4. There's currently a patch carried by many downstreams, which changes the XSM dummy module to deny XENVER_extraversion to unprivileged guests. 5. However, this caused "<denied>" to show up in various user-visible places, which caused customer support headaches. So this out-of-tree patch also replaced the string returned when denying access to "" instead. Note that this is not *only* for XENVER_extraversion; with that patch, *any* time the value requested in xen_version is denied by policy, "" will be returned. 6. Silently returning an empty string is considered bad interface design by several developers. So Sergey's second patch: - Still denies XENVER_extraversion at the hypervisor level - Leaves the value returned by the hypervisor as "<denied>" - Filters the "<denied>" string at the hvmloader level, to prevent it leaking into a GUI and scaring customers. Now we get to Andy's objection on the 10th: --- The reason for this (which ought to be obvious, but I guess only to those who actually do customer support) is basic human physiology. "denied" means something has gone wrong. It scares people, and causes them to seek help to change fix whatever is broken. It is not appropriate for it to find its way into the guest in the first place, and that includes turning up in `dmesg` and other logs, and expecting guest runtime to filter for it is complete nonsense. --- Basically, Andy says that *anywhere* it might show up is way too scary, even a guest dmesg log. Well, I disagree; I look in "dmesg" and I see loads of "scary" things. But if "<denied>" is too scary, then we can try "<hidden>". Then we come to your mail. You spend two paragraphs justifying why we need to do #4 (hide the value from unprivileged guests), basically reiterating point #3 and dealing with potential objections. But nobody objects to #4, or disagrees with #3. You then have a paragraph arguing why it's important that information be stripped at the hypervisor rather than in the toolstack. But Sergey's v2 patch *does* strip the information at the hypervisor. His patch makes it so that XENVER_extraversion returns "<denied>". The code which converts "<denied>" to "" in hvmloader is purely a UI thing, so that people looking in their Windows System Info don't get scary messages. > I'd be happy if we had a Kconfig option behind what the string is. Give > me a blank as an option but default it to whatever string like > "<hidden>" that you'd like. Every shipping Xen distro I've worked on has > had its own v1 variant of the patch and none of them authored by me. OK, so with this we have four proposed options: 1. Block XENVER_extraversion at the hypervisor level. Change the xen_deny() string to "". (This is v1 of sergey's patch.) 2. Block XENVER_extraversion at the hypervisor level. Leave xen_deny() as returning "<denied>", but replace "<denied>" with "" in hvmloader so it doesn't show up in the System Info and scare users. 3. Block XENVER_extraversion at the hypervisor level. Change xen_deny() to return a more benign string like "<hidden>". (Perhaps also filter it in hvmloader, just for good measure.) 4. Block XENVER_extraversion at the hypervisor level. Make the xen_deny() string configurable in KConfig. Fundamentally I have no objection to #4. But I still don't know what your objections are to #2 and #3. -George _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.