| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <FF2CCC35-87DD-4311-A3CF-4943B29DBEE3@amazon.com>
Date: Fri, 16 Oct 2020 22:29:14 -0700
From: Colm MacCarthaigh <colmmacc@...zon.com>
To: Jann Horn <jannh@...gle.com>
CC: Willy Tarreau <w@....eu>,
"Catangiu, Adrian Costin" <acatan@...zon.com>,
Andy Lutomirski <luto@...nel.org>,
Jason Donenfeld <Jason@...c4.com>,
"Theodore Y. Ts'o" <tytso@....edu>,
Eric Biggers <ebiggers@...nel.org>,
"open list:DOCUMENTATION" <linux-doc@...r.kernel.org>,
kernel list <linux-kernel@...r.kernel.org>,
"open list:VIRTIO GPU DRIVER"
<virtualization@...ts.linux-foundation.org>,
"Graf (AWS), Alexander" <graf@...zon.de>,
"Woodhouse, David" <dwmw@...zon.co.uk>, <bonzini@....org>,
"Singh, Balbir" <sblbir@...zon.com>,
"Weiss, Radu" <raduweis@...zon.com>, <oridgar@...il.com>,
<ghammer@...hat.com>, Jonathan Corbet <corbet@....net>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
"Michael S. Tsirkin" <mst@...hat.com>,
Qemu Developers <qemu-devel@...gnu.org>,
KVM list <kvm@...r.kernel.org>,
Michal Hocko <mhocko@...nel.org>,
"Rafael J. Wysocki" <rafael@...nel.org>,
Pavel Machek <pavel@....cz>,
Linux API <linux-api@...r.kernel.org>
Subject: Re: [PATCH] drivers/virt: vmgenid: add vm generation id driver
On 16 Oct 2020, at 22:01, Jann Horn wrote:
>
> On Sat, Oct 17, 2020 at 6:34 AM Colm MacCarthaigh
> <colmmacc@...zon.com> wrote:
>> For user-space, even a single bit would do. We added
>> MADVISE_WIPEONFORK
>> so that userspace libraries can detect fork()/clone() robustly, for
>> the
>> same reasons. It just wipes a page as the indicator, which is
>> effectively a single-bit signal, and it works well. On the user-space
>> side of this, I’m keen to find a solution like that that we can use
>> fairly easily inside of portable libraries and applications. The
>> “have
>> I forked” checks do end up in hot paths, so it’s nice if they can
>> be
>> CPU cache friendly. Comparing a whole 128-bit value wouldn’t be my
>> favorite.
>
> I'm pretty sure a single bit is not enough if you want to have a
> single page, shared across the entire system, that stores the VM
> forking state; you need a counter for that.
You’re right. WIPEONFORK is more like a single-bit per use. If it’s
something system wide then a counter is better.
> So the RNG state after mixing in the new VM Generation ID would
> contain 128 bits of secret entropy not known to anyone else, including
> people with access to the VM image.
>
> Now, 128 bits of cryptographically random data aren't _optimal_; I
> think something on the order of 256 bits would be nicer from a
> theoretical standpoint. But in practice I think we'll be good with the
> 128 bits we're getting (since the number of users who fork a VM image
> is probably not going to be so large that worst-case collision
> probabilities matter).
This reminds me on key/IV usage limits for AES encryption, where the
same birthday bounds apply, and even though 256-bits would be better, we
routinely make 128-bit birthday bounds work for massively scalable
systems.
>> The kernel would need to use the change as a trigger to
>> measure some entropy (e.g. interrupts and RDRAND, or whatever). Our
>> just
>> define the machine contract as “this has to be unique random data
>> and
>> if it’s not unique, or if it’s pubic, you’re toast”.
>
> As far as I can tell from Microsoft's spec, that is a guarantee we're
> already getting.
Neat.
-
Colm
Powered by blists - more mailing lists