From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([2001:4830:134:3::10]:57347) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fdd74-0005C0-3Y for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:02:35 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fdd70-0006Yw-4Y for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:02:34 -0400 Received: from mail-wm0-x244.google.com ([2a00:1450:400c:c09::244]:33339) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1fdd6z-0006Y3-VU for qemu-devel@nongnu.org; Thu, 12 Jul 2018 11:02:30 -0400 Received: by mail-wm0-x244.google.com with SMTP id z6-v6so2305691wma.0 for ; Thu, 12 Jul 2018 08:02:29 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <20180710134018.GC30635@stefanha-x1.localdomain> References: <20180331084500.33313-1-jiangshanlai@gmail.com> <20180702131054.GE2155@stefanha-x1.localdomain> <20180703100555.GG16791@stefanha-x1.localdomain> <20180710134018.GC30635@stefanha-x1.localdomain> From: Peng Tao Date: Thu, 12 Jul 2018 23:02:08 +0800 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: Re: [Qemu-devel] [PATCH] migration: add capability to bypass the shared memory List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Stefan Hajnoczi Cc: Lai Jiangshan , Samuel Ortiz , Xu Wang , qemu-devel@nongnu.org, "James O . D . Hunt" , "Dr. David Alan Gilbert" , Markus Armbruster , Juan Quintela , Sebastien Boeuf , Xiao Guangrong , Xiao Guangrong , Paolo Bonzini , Andrea Arcangeli , Marcelo Tosatti , kata-dev@lists.katacontainers.io Hi Stefan, On Tue, Jul 10, 2018 at 9:40 PM, Stefan Hajnoczi wrote: > Two things come to mind: > > At that point both guest kernel and agent address-space layout > randomization (ASLR) is finished. ALSR makes it harder for memory > corruption bugs to lead to real exploits because the attacker does not > know the full memory layout of the process. Cloned VMs will not benefit > from ASLR because much of the memory layout of the guest kernel and > agent will be identical across all clones. > Yes, indeed. I am not arguing that ASLR is retained with VM templating. Just that ASLR is also compromised if one wants to use KSM to save memory by sharing among different guests. Kata is already shipping with KSM components and we are adding VM templating as a better alternative. > Software random number generators have probably been initialized at this > point. This doesn't mean that all cloned VMs will produce the same > sequence of random numbers since they should incorporate entropy sources > or use hardware random number generators, but the quality of random > numbers might be reduced. Someone who knows random number generators > should take a look at this. > As Andrea pointed out earlier in his comments, we can configure the random number generator to printk a warning if it's being used at boot before it had its "shutdown" state restored. Then we can add a new kata-agent request set the entropy and check for such warning after a new VM is cloned and before it is given to the user. This way, we are guaranteed that random numbers generated by each guest is created with a different seed. Do you have other concern with this method? Cheers, Tao