lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240730094831.882166-1-bchalios@amazon.es>
Date: Tue, 30 Jul 2024 11:48:30 +0200
From: Babis Chalios <bchalios@...zon.es>
To: <tytso@....edu>, <Jason@...c4.com>, <linux-kernel@...r.kernel.org>
CC: <graf@...zon.de>, <mzxreary@...inter.de>, <xmarcalx@...zon.co.uk>,
	<gregkh@...uxfoundation.org>, Babis Chalios <bchalios@...zon.es>
Subject: [PATCH 0/1] Notify system services about VM clones

Hi Jason,

This is a rebase of the previous patch[1] that enabled VMGenID to send a
uevent notification to user space. I have rebased it on top of current
Linus's master branch, which includes the changes to add DT support to
VMGenID, and fixed the conflicts.

The simple problem this solves is sending a notification to user space
services, like networkd et al, chrony, etc., that they are now working
on a new VM. The former would do things like refresh DHCP leases, the
latter would reset the system's clock to current date and time. This is
a problem quite common in the VM world. Apart from us, systemd folks
have chimed in the past with their use-cases[2][3].

Previously, you have mentioned that you envision this being handled by
random.c due to the fact that it receives such events from a variety of
devices[4][5], hence it should be the one dispatching the notification
to user space.

I am resending this because I believe the above rationale is conflating
two different events, i.e. "you have stale entropy" and "your VM has
been cloned". The latter implies the former, but there are use cases
other than reseeding PRNGs; some of them I mentioned earlier in this
cover letter. In practical terms, we should not regenerate MAC addresses
whenever we need to reseed our PRNGs. And I simply cannot think of any
other device that could trigger an effect on networkd, chrony, etc,
similar to the one VMGenID updates do.

I am really interested in your thoughts on this and, ultimately, I hope
we can have a technical discussion on the arguments above and try to
find the best solution for the problem at hand.

Cheers,
Babis

[1] https://lore.kernel.org/lkml/20230531095119.11202-1-bchalios@amazon.es/
[2] https://lore.kernel.org/lkml/ZieoRxn-On0gD-H2@gardel-login/
[3] https://lore.kernel.org/lkml/ZJGNREN4tLzQXOJr@gardel-login/
[4] https://lore.kernel.org/lkml/CAHmME9pVLD-U+iYfv7=HBufRtaSkBmCRpKLH8pbvPNkgozE3cg@mail.gmail.com/
[5] https://lore.kernel.org/lkml/Ziujox51oPzZmwzA@zx2c4.com/

Babis Chalios (1):
  vmgenid: emit uevent with new generation ID

 drivers/virt/vmgenid.c | 2 ++
 1 file changed, 2 insertions(+)

-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ