All of lore.kernel.org
 help / color / mirror / Atom feed
From: Sergey Dyasli <sergey.dyasli@citrix.com>
To: Jan Beulich <JBeulich@suse.com>
Cc: "sergey.dyasli@citrix.com >> Sergey Dyasli"
	<sergey.dyasli@citrix.com>,
	George Dunlap <George.Dunlap@eu.citrix.com>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Tim Deegan <tim@xen.org>,
	xen-devel@lists.xen.org, Julien Grall <julien.grall@arm.com>,
	Boris Ostrovsky <boris.ostrovsky@oracle.com>
Subject: Re: [PATCH] mm/page_alloc: always scrub pages given to the allocator
Date: Mon, 1 Oct 2018 15:40:00 +0100	[thread overview]
Message-ID: <a1861a76-8542-60e8-05fd-b0b31e8ac05e@citrix.com> (raw)
In-Reply-To: <5BB2014B02000078001ED2B6@prv1-mh.provo.novell.com>

On 01/10/18 12:13, Jan Beulich wrote:
>>>> On 01.10.18 at 11:58, <sergey.dyasli@citrix.com> wrote:
>> Having the allocator return unscrubbed pages is a potential security
>> concern: some domain can be given pages with memory contents of another
>> domain. This may happen, for example, if a domain voluntarily releases
>> its own memory (ballooning being the easiest way for doing this).
> 
> And we've always said that in this case it's the domain's responsibility
> to scrub the memory of secrets it cares about. Therefore I'm at the
> very least missing some background on this change of expectations.
> 
>> Change the allocator to always scrub the pages given to it by:
>>
>> 1. free_xenheap_pages()
>> 2. free_domheap_pages()
>> 3. online_page()
>> 4. init_heap_pages()
>>
>> Performance testing has shown that on multi-node machines bootscrub
>> vastly outperforms idle-loop scrubbing. So instead of marking all pages
>> dirty initially, introduce bootscrub_done to track the completion of
>> the process and eagerly scrub all allocated pages during boot.
> 
> I'm afraid I'm somewhat lost: There still is active boot time scrubbing,
> or at least I can't see how that might be skipped (other than due to
> "bootscrub=0"). I was actually expecting this to change at some
> point. Am I perhaps simply mis-reading this part of the description?
> 
>> If bootscrub is disabled, then all pages will be marked as dirty right
>> away and scrubbed either in idle-loop or eagerly during allocation.
>>
>> After this patch, alloc_heap_pages() is guaranteed to return scrubbed
>> pages to a caller unless MEMF_no_scrub flag was provided.
> 
> I also don't understand the point of this: Xen's internal allocations
> have no need to come from scrubbed memory. This in particular
> also puts under question the need to "eagerly scrub all allocated
> pages during boot" (quoted from an earlier paragraph).

There are ways to share a Xen's page with a guest. So from a security
point of view, there is no guarantee that a page allocated with
alloc_xenheap_pages() will not end up accessible by some guest.

--
Thanks,
Sergey

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

  parent reply	other threads:[~2018-10-01 14:40 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-01  9:58 [PATCH] mm/page_alloc: always scrub pages given to the allocator Sergey Dyasli
2018-10-01 10:13 ` Julien Grall
2018-10-01 11:13 ` Jan Beulich
2018-10-01 13:12   ` Andrew Cooper
2018-10-01 13:27     ` George Dunlap
2018-10-01 13:38     ` Jan Beulich
2018-10-01 13:44       ` Sergey Dyasli
2018-10-01 13:54         ` George Dunlap
2018-10-01 14:28           ` Sergey Dyasli
2018-10-01 15:15             ` Jan Beulich
2018-10-01 14:11       ` Sergey Dyasli
2018-10-01 15:12         ` Jan Beulich
2018-10-01 13:44     ` Boris Ostrovsky
2018-10-01 13:50       ` George Dunlap
2018-10-01 13:55         ` Andrew Cooper
2018-10-01 13:57         ` Boris Ostrovsky
2018-10-01 14:53           ` Andrew Cooper
2018-10-01 14:40   ` Sergey Dyasli [this message]
2018-10-01 15:13     ` Jan Beulich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a1861a76-8542-60e8-05fd-b0b31e8ac05e@citrix.com \
    --to=sergey.dyasli@citrix.com \
    --cc=George.Dunlap@eu.citrix.com \
    --cc=JBeulich@suse.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=boris.ostrovsky@oracle.com \
    --cc=julien.grall@arm.com \
    --cc=tim@xen.org \
    --cc=xen-devel@lists.xen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.