WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] Xen and updated kernels

To: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Xen and updated kernels
From: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Date: Wed, 4 Jan 2006 02:27:14 +0000
Cc: Tony and Robyn Lewis <gnutered@xxxxxxxxxxxx>
Delivery-date: Wed, 04 Jan 2006 02:43:34 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <43BB1E2A.1000100@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <43BB1E2A.1000100@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: KMail/1.8.3
> I am enjoying playing with Xen.  Kudos for this cool technology.  We're
> thinking hard about using Xen in production for our office.
>
> My major concern is security in the kernel.  The pre-built binaries of
> the Xenised kernels are based on 2.6.12, which is old now (last released
> in late August according to kernel.org).
>
> Does this not put the domU guests at risk, if there are kernel exploits
> that apply to 2.6.12?  Granted, the damage is contained, but there's
> still an 0wned (virtual) server that I've now got to deal with.

The reason the main distribution hasn't been updated with a new kernel version 
recently is that a lot of work is being done on the Xen-ification patch to 
make acceptable for upstream merge.

This repo contains a Xenified Linux 2.6.15:
http://xenbits.xensource.com/linux-2.6-xen.hg
But this is currently not as widely used / tested as the 2.6.12 tree which is 
included with the Xen 3.0 distribution.

The contents of that repo will be used in future releases of Xen, but the 
kernel provided there should work fine now for domUs on 3.0 hypervisors.

> Between now and when Xen gets into the mainstream kernel, what's a good
> mitigation for this risk?  *Is* it a risk?

Well, it's a risk if there are any exploits that might effect your 
configuration.  I don't recall any particularly horrible exploits in recent 
2.6 kernels, though.  If it's an exploit that hasn't yet been discovered, it 
most likely won't be fixed in more recent kernels either.  Depends how 
paranoid you're feeling - are they really out to get you? ;-)

> I would like to apply the Xen patch to a maintained kernel source, in my
> case the latest Debian 2..6.12 tree (it has later patches backported to
> it).  I've tried applying it and ended up with heaps (50-ish)
> rejections.  From first glance, most of these rejections are because the
> Debian source already contains the patch that Xen tries to apply, and so
> are safe to ignore.  Not all rejections are, though, and unless there's
> a better idea (hence this email), my intent is to then go through these
> by hand and fix things up.
>
> Hopefully it'll be a one-off task.  I can use the new tree and the
> original to generate my own xen-3.0-to-debian-2.6.12-blah.patch.  When a
> new Debian 2.6.12 comes out, this patch should apply fairly cleanly.
>
> Again, is this worth doing?

Possibly...  depends how impatient you are ;-)  But IIRC, various people have 
been producing Xenified Debian kernels, so you may be duplicating work - I'm 
not sure how those efforts are progressing right now.

Cheers,
Mark

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

<Prev in Thread] Current Thread [Next in Thread>