[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature



On 26/06/17 17:39, Andrew Cooper wrote:
>> * Bugs which allow a guest to prevent the application of a livepatch:
>>     A guest should not be able to prevent the application of a live
>>     patch. If an unprivileged guest can prevent the application of a
>>     live patch, it shall be treated as a security issue.
> 
> This one is harder to say.  We know that enough concurrent live
> migrations can, which extends to "lots of activity in the guest".  Its
> perhaps worth noting the potential workaround of `xl pause $DOM;
> xen-livepatch ...; xl unpause`.

And what if the guest can prevent itself from being paused?

Or, what if the guest can trigger some other persistent state change
such that livepatching will fail even if the domain is paused (or
destroyed)?

I agree that as long as the patch can be applied after "xl pause", then
the domain cannot be said to be preventing the application of the
livepatch.  But if either 'xl pause' doesn't work, or if livepatching
fails due to a malicious domain's actions after 'xl pause' (or 'xl
destroy'), then it should be treated as a security issue.

> This is all good, but this information needs to be in a file in
> docs/features/, most probably livepatching.pandoc

+1

 -George

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.