[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH for-4.9] livepatch: Declare live patching as a supported feature
On 26/06/17 18:00, George Dunlap wrote: > On 26/06/17 16:36, Ross Lagerwall wrote: >> Xen Live Patching has been available as tech preview feature since Xen >> 4.7 and has now had a couple of releases to stabilize. Xen Live patching >> has been used by multiple vendors to fix several real-world security >> issues without any severe bugs encountered. Additionally, there are now >> tests in OSSTest that test live patching to ensure that no regressions >> are introduced. >> >> Based on the amount of testing and usage it has had, we are ready to >> declare live patching as a 'Supported' feature. > Great write-up, Ross, thanks. I more or less agree with everything > except... > >> * Bugs in livepatch-build-tools creating incorrect live patch that >> results in an insecure host: >> If livepatch-build-tools creates an incorrect live patch that >> results in an insecure host, this shall not be considered a security >> issue. There are too many OSes and toolchains to consider supporting >> this. A live patch should be checked to verify that it is valid >> before loading. > I'm not sure I follow the argument here. Suppose in one months' time it > is discovered that livepatch-build-tools, under some circumstances, > creates patches that open up a side vulnerability. Do you really think > we should just post a fix to the mailing list, without alerting anybody > who may be affected by it? There are a million ways this could happen, starting from the simple cases of accidentally building the livepatch from a non-clean working tree, or accidentally using a compiler other than the one used to build the running hypervisor. We absolutely cannot be in the position of issuing XSAs for situations like this, because there are too many ways where it definitely will go wrong, and we'd end up issuing XSAs saying "remember to clean your working tree before building a livepatch". This is of course absurd. IMO, The only viable option is to exclude livepatch-build-tools entirely from security scope. It is already the case that people producing livepatches need to check the resulting livepatch binary for sanity, and test it suitably in a development environment before use in production. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |