[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Xen-devel] RAM security
- To: Jonathan Tripathy <jonnyt@xxxxxxxxxxx>, George Dunlap <George.Dunlap@xxxxxxxxxxxxx>, <Xen-devel@xxxxxxxxxxxxxxxxxxx>
- From: Keir Fraser <keir@xxxxxxx>
- Date: Mon, 06 Dec 2010 08:26:34 -0800
- Cc:
- Delivery-date: Mon, 06 Dec 2010 08:28:24 -0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:user-agent:date :subject:from:to:message-id:thread-topic:thread-index:in-reply-to :mime-version:content-type:content-transfer-encoding; bh=TSbwXlQzvFtJHkVvmSIQFix+uValwaWGzjMojoO0cak=; b=ZHmguILtl42DPgAqiy4t9IOCgydeFliNjOPhpJx3TWtQAOpI9uLdr6DY12tWUZKhCD ppOmn+CgvUHwynSwB2t2RUoy33Osp1EXCTZ0SzX8RZZ/keDq9B/kebg4hq+Jy/2B2qor DgHTer7bbLtdc0okVy3AuTOl5MG5hJ7TVDfzY=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:user-agent:date:subject:from:to:message-id:thread-topic :thread-index:in-reply-to:mime-version:content-type :content-transfer-encoding; b=ZzKQpvnzmZzqHgTPIyi1TitKaoC2BhUMWEg37K4UERoeSEr2rte8utLDGL+uXJL8xq 1TSChi7vCcbGxJFe9+q7PF5Mf4cetbo7GH39DHEEecggRTqhVHaYHZXUmEIeUSx7rChX RJaexNK0KPTUeJ+sOzDQn0FeT/NnWDlU5EPPE=
- List-id: Xen developer discussion <xen-devel.lists.xensource.com>
- Thread-index: AcuVYljWE041ahZjUkOK8fzI1Wmhuw==
- Thread-topic: [Xen-devel] RAM security
On 06/12/2010 07:35, "Jonathan Tripathy" <jonnyt@xxxxxxxxxxx> wrote:
> Just a few questions:
>
> 1) By saying "the guest's responsibility", does this mean that
> CONFIG_XEN_SCRUB_PAGES=y is set in the DomU kernel config?
Yes.
> 2) Also, if a DomU was shutdown by xm destroy, obviously the DomU
> wouldn¹t scrub the RAM. However would Xen still scrub the RAM?
Xen always scrubs memory on behalf of a dead domain.
> 3) If the physical server was shutdown (e.g. plug pulled), I'm guessing
> this will presetn a problem?
Xen scrubs all memory during boot, unless told not to via a boot parameter.
> 4) Why doesn't Xen scrub the RAM before giving it to the DomU?
It does in the above circumstances. Otherwise it is up to the domU, and why
not.
-- Keir
> Thanks
>
> On 06/12/10 14:49, George Dunlap wrote:
>> I looked into this sometime this last year. I believe the answer is
>> "no": the domain destruction routines will zero memory before handing
>> it back to Xen.
>>
>> One potential data leak, however (last time I looked at this), is that
>> Xen does not scrub memory handed back by the balloon driver. So if
>> the guest OS hasn't scrubbed it, and it contains sensitive
>> information, it may end up being assigned to another domain as-is
>> (either via ballooning or start-of-day domain creation). At the
>> moment that's considered the guest's responsibility.
>>
>> -George
>>
>> On Mon, Dec 6, 2010 at 2:35 PM, Jonathan Tripathy<jonnyt@xxxxxxxxxxx> wrote:
>>> Hi Everyone,
>>>
>>> In Xen, is a DomU able to access data in RAM which a previous DomU has
>>> stored in the past, but didn't "zero" it?
>>>
>>> I understand that this is a problem with physical disks (using phy:/), just
>>> wondering if the same stands with RAM
>>>
>>> Thanks
>>>
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@xxxxxxxxxxxxxxxxxxx
>>> http://lists.xensource.com/xen-devel
>>>
>>>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel