New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wipe RAM on shutdown #1562
Comments
Good feature, but a little reminder: Some memory controllers scramble addresses and data using prng pattern, such as on Intel Core processors using ddr3. So far haven't seen anyone defeat this, so maybe some users will feel less vulnerable. See pp. 26-29 http://www.slideshare.net/codeblue_jp/igor-skochinsky-enpub |
Looks like the kernel is compiled with CONFIG_XEN_SCRUB_PAGES=y. That should result in DomUs getting wiped on memory free operations, including a shutdown. Was this issue filed against the host itself? #2024 refers mostly to VMs. |
Updating title to explicitly include things mentioned in #4488. |
On memory balancing, the memory definitely is zeroed before returning it to Xen. On VM shutdown/crash/etc it is too, but I'm not sure if it's done synchronously, or asynchronously - IOW at which point in time it is guaranteed to be cleared already. |
Updated title to:
(Feel free to change it further.) |
Progress on this feature has been made. Source code review and suggestions for the sdmem parameters are welcome, see: This is now in the development version of security-misc. (#1885) |
This progressed far, has now a dedicated source code repository and sub project page.
Nowadays Remaining issue is actually a dracut issue, which is not easy to fix. |
What is the main scenario where this is useful, in what situation is the VM shutdown in a controlled manner, but you can't rely on Xen to clear the memory? |
I was also wondering what I was thinking when ~9 years ago I set the title to
which from nowadays perspective does not make a lot sense to me. Except after you asked, I checked the history and the title I've chosen was actually:
This would be a dom0 feature. This is what I was suggesting and what I still think makes sense. Why is it useful? It's for cold boot attack defense. Reference:
I don't think the title should have been changed or the scope of the ticket as complicated as it is by itself should have been extended.
To answer your question...
I didn't suggest VM memory to be cleared when a VM is closed. Maybe that's #4488. This ticket should only be for Wipe RAM on Shutdown. |
This patch might be relevant, at least it confirms that scrubbing doesn't always get scheduled until the page is allocated. |
My understanding is that the Xen default policy has been to scrub RAM only when allocating it to a VM or to some other internal Xen purpose. Also this would not be a dom0 feature, it would need to be a Xen feature (it's possible there's already a policy flag for this?). Deallocated VM RAM is released to and managed by Xen, not dom0. Dom0 itself is just a special (often management) VM. B |
If dom0 just is a VM, does that mean the scrub-domheap option also apply to releasing the pages used by dom0? |
Yes, when any domain is returning memory to Xen, including dom0. I hadn't noticed the addition of the scrub-domheap option in 2019, thanks for pointing that out. Presumably this prevents leaks of vm secrets into Xen controlled memory. My understanding still is that Xen already scrubs memory before giving it to a VM, perhaps this option is meant to ensure VM secrets don't spend any more time in RAM than the lifetime of the VM (system guaranteed full-scrubbed of secrets on VM shutdown). |
I read that scrubbing is done during the cpu idle time across all cores, if you have free memory and your cpu never idles, I don't think there is any guarantee the pages are scrubbed until the memory is used again. As I understand it, scrub-domheap always scrub the memory when it's released, it doesn't wait for the cpu to be idle. |
Some stuff that Tails is having in mind.
package:
http://git.tails.boum.org/wiperam/tree/
Tails currently has a few issues with it.
https://tails.boum.org/support/known_issues/index.en.html#index23h2
The other issue is an obvious one. If shutdown fails for software or hardware reasons, RAM shutdown won't be executed.
https://labs.riseup.net/code/issues/6006
And more.
Tails blueprint:
https://tails.boum.org/blueprint/more_efficient_memory_wipe/
Documentation on testing if wiping RAM works:
https://tails.boum.org/contribute/release_process/test/erase_memory_on_shutdown/
Test suite recipe:
https://github.com/vjrj/tails/blob/master/features/erase_memory.feature
Documentation:
https://tails.boum.org/doc/advanced_topics/cold_boot_attacks/index.en.html
Related:
The text was updated successfully, but these errors were encountered: