| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <208236727.64320322.1547530642536.JavaMail.zimbra@redhat.com>
Date: Tue, 15 Jan 2019 00:37:22 -0500 (EST)
From: Pankaj Gupta <pagupta@...hat.com>
To: "Michael S. Tsirkin" <mst@...hat.com>
Cc: Dave Chinner <david@...morbit.com>, Jan Kara <jack@...e.cz>,
KVM list <kvm@...r.kernel.org>,
David Hildenbrand <david@...hat.com>,
linux-nvdimm <linux-nvdimm@...1.01.org>,
Jason Wang <jasowang@...hat.com>,
Qemu Developers <qemu-devel@...gnu.org>,
virtualization@...ts.linux-foundation.org,
adilger kernel <adilger.kernel@...ger.ca>,
Ross Zwisler <zwisler@...nel.org>,
dave jiang <dave.jiang@...el.com>,
darrick wong <darrick.wong@...cle.com>,
vishal l verma <vishal.l.verma@...el.com>,
Matthew Wilcox <willy@...radead.org>,
Christoph Hellwig <hch@...radead.org>,
Linux ACPI <linux-acpi@...r.kernel.org>,
jmoyer <jmoyer@...hat.com>,
linux-ext4 <linux-ext4@...r.kernel.org>,
Rik van Riel <riel@...riel.com>,
Stefan Hajnoczi <stefanha@...hat.com>,
Igor Mammedov <imammedo@...hat.com>,
Dan Williams <dan.j.williams@...el.com>,
lcapitulino@...hat.com, Kevin Wolf <kwolf@...hat.com>,
Nitesh Narayan Lal <nilal@...hat.com>,
Theodore Ts'o <tytso@....edu>,
xiaoguangrong eric <xiaoguangrong.eric@...il.com>,
"Rafael J. Wysocki" <rjw@...ysocki.net>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
linux-xfs <linux-xfs@...r.kernel.org>,
linux-fsdevel <linux-fsdevel@...r.kernel.org>,
Paolo Bonzini <pbonzini@...hat.com>
Subject: Re: [Qemu-devel] [PATCH v3 0/5] kvm "virtio pmem" device
> > > >
> > > > On Mon, Jan 14, 2019 at 02:15:40AM -0500, Pankaj Gupta wrote:
> > > > >
> > > > > > > Until you have images (and hence host page cache) shared between
> > > > > > > multiple guests. People will want to do this, because it means
> > > > > > > they
> > > > > > > only need a single set of pages in host memory for executable
> > > > > > > binaries rather than a set of pages per guest. Then you have
> > > > > > > multiple guests being able to detect residency of the same set of
> > > > > > > pages. If the guests can then, in any way, control eviction of
> > > > > > > the
> > > > > > > pages from the host cache, then we have a guest-to-guest
> > > > > > > information
> > > > > > > leak channel.
> > > > > >
> > > > > > I don't think we should ever be considering something that would
> > > > > > allow a
> > > > > > guest to evict page's from the host's pagecache [1]. The guest
> > > > > > should
> > > > > > be able to kick its own references to the host's pagecache out of
> > > > > > its
> > > > > > own pagecache, but not be able to influence whether the host or
> > > > > > another
> > > > > > guest has a read-only mapping cached.
> > > > > >
> > > > > > [1] Unless the guest is allowed to modify the host's file;
> > > > > > obviously
> > > > > > truncation, holepunching, etc are going to evict pages from the
> > > > > > host's
> > > > > > page cache.
> > > > >
> > > > > This is so correct. Guest does not not evict host page cache pages
> > > > > directly.
> > > >
> > > > They don't right now.
> > > >
> > > > But someone is going to end up asking for discard to work so that
> > > > the guest can free unused space in the underlying spares image (i.e.
> > > > make use of fstrim or mount -o discard) because they have workloads
> > > > that have bursts of space usage and they need to trim the image
> > > > files afterwards to keep their overall space usage under control.
> > > >
> > > > And then....
> > >
> > > ...we reject / push back on that patch citing the above concern.
> >
> > So at what point do we draw the line?
> >
> > We're allowing writable DAX mappings, but as I've pointed out that
> > means we are going to be allowing a potential information leak via
> > files with shared extents to be directly mapped and written to.
> >
> > But we won't allow useful admin operations that allow better
> > management of host side storage space similar to how normal image
> > files are used by guests because it's an information leak vector?
> >
> > That's splitting some really fine hairs there...
>
> May I summarize that th security implications need to
> be documented?
>
> In fact that would make a fine security implications section
> in the device specification.
This is a very good suggestion.
I will document the security implications in details in device specification
with details of what all filesystem features we don't support and why.
Best regards,
Pankaj
>
>
>
>
>
> > > > > In case of virtio-pmem & DAX, guest clears guest page cache
> > > > > exceptional entries.
> > > > > Its solely decision of host to take action on the host page cache
> > > > > pages.
> > > > >
> > > > > In case of virtio-pmem, guest does not modify host file directly i.e
> > > > > don't
> > > > > perform hole punch & truncation operation directly on host file.
> > > >
> > > > ... this will no longer be true, and the nuclear landmine in this
> > > > driver interface will have been armed....
> > >
> > > I agree with the need to be careful when / if explicit cache control
> > > is added, but that's not the case today.
> >
> > "if"?
> >
> > I expect it to be "when", not if. Expect the worst, plan for it now.
> >
> > Cheers,
> >
> > Dave.
> > --
> > Dave Chinner
> > david@...morbit.com
>
>
Powered by blists - more mailing lists