Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/html/hardened-virtualization.html
blob: 2022331b8953e4149d3e3326b7f62582d3665971 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<link title="new" rel="stylesheet" href="http://www.gentoo.org/css/main.css" type="text/css">
<link REL="shortcut icon" HREF="http://www.gentoo.org/favicon.ico" TYPE="image/x-icon">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
<title>Gentoo Linux Documentation
--
  Gentoo Hardened Virtualization Guide</title>
</head>
<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
<tr><td valign="top" height="125" bgcolor="#45347b"><a href="http://www.gentoo.org/"><img border="0" src="http://www.gentoo.org/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
<td width="99%" class="content" valign="top" align="left">
<table class="ncontent" align="center" width="90%" border="2px" cellspacing="0" cellpadding="4px"><tr><td bgcolor="#ddddff"><p class="note"><b>Disclaimer : </b>
    This document is a work in progress and should not be considered official yet.
  </p></td></tr></table>
<br><h1>Gentoo Hardened Virtualization Guide</h1>
<form name="contents" action="http://www.gentoo.org">
<b>Content</b>:
        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Hardening a Virtualization Environment</option>
<option value="#doc_chap2">2. Resources</option></select>
</form>
<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1.
            </span>Hardening a Virtualization Environment</p>
<p class="secthead"><a name="doc_chap1_sect1">Virtualization and Hardening?</a></p>
<p>
The hardening of virtualized environments is growing in popularity.
Virtualization has the advantages of isolating services on various slim guests
running on a larger server, while hardening provides for enhanced security for
both the guests and host. In practice, however, getting the two to work
together is not always an easy task as the technologies employed by one often
interfer with the other. This is complicated by the fact that there many
implementations of virtualization and many degrees of hardening. This guide
aims to provide some clarity to the issues and outline some best practices.
</p>
<p class="secthead"><a name="doc_chap1_sect2">Types of virtualization and degrees of hardening</a></p>
<p>
This guide looks at virtualization using kvm, xen and vmware under hardening
by GRSEC/PaX. For each type of virtualization, we discuss what hardening
features work for the host and guests without either degrading performance
horribly or breaking completely. This is not a howto on setting up
virtualization since that is covered elsewhere; rather, we limit our
discussion to just what hardening features ought to be enabled or disable when
configuring the kernel of the host or guest operating systems.
</p>
<p class="secthead"><a name="doc_chap1_sect3">Hardening KVM</a></p>
<p>
KVM (Kernel-base Virtual Machine) provides virtualization on x86 and x86_64
hosts that have the required hardware support (Intel-VT or AMD-V). The host
uses a general kernel module (kvm.ko), a processor specific module
(kvm-intel.ko or kvm-amd.ko), and a userland utility (qemu-kvm), to run the
guests. The guests can be configured to use emulated hardware (full
virtualization) or virtio (para virtualization). Paravirt has the advantage
of increasing performance and providing a common I/O interface between host
and guest. Resources for setting up kvm on gentoo can be found at the end
of this guide. 
</p>
<p>
As of this writing, there are no known restrictions on hardening for the
guest on amd64 hosts. Test of both x86 and x86_64 guests using either emulated
hardware or virtio, with all hardening features, including CONFIG_PAX_KERNEXEC
and CONFIG_PAX_MEMORY_UDEREF, have been successfull on amd64 guests.  For Intel
hosts there have been reports going both ways on whether or not
CONFIG_PAX_MEMORY_UDEREF being enabled in the guests causes the guest to run
slowly.  Currently it is recomended to not enable CONFIG_PAX_MEMORY_UDEREF on
Intel guests.
</p>
<table class="ntable">
	<tr>
		<td class="infohead" colspan="3" style="text-align:center"><b>guest kerel config breakout</b></td>
	</tr>
	<tr>
		<td class="infohead"><b></b></td>
		<td class="infohead"><b>AMD</b></td>
		<td class="infohead"><b>INTEL</b></td>
	</tr>
	<tr>
		<td class="infohead"><b>CONFIG_PAX_KERNEXEC</b></td>
		<td class="tableinfo">Y</td>
		<td class="tableinfo">Y</td>
	</tr>
	<tr>
		<td class="infohead"><b>CONFIG_PAX_MEMORY_UDEREF</b></td>
		<td class="tableinfo">Y</td>
		<td class="tableinfo">N</td>
	</tr>   
</table>
<p>
For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel
option, CONFIG_PAX_PER_CPU_PGD, which is know to break kvm. What is actually
happening is that the guest's performance is degraded to the point where it is
unusable, but doesn't crash, and the host is left with qemu-kvm in
uninterruptible sleep (state D when doing ps aux). Only rebooting the host
clears the issue.
</p>
<p>
These tests were done using the 2.6.32 and 2.6.34 branches of the kernel with
GRSEC/PaX patch version 2.1.14 and 2.2.0 (see Gentoo bug <a href="https://bugs.gentoo.org/328623">#328623</a>). However, it unlikely that
this problem will be solved anytime soon, which is unfortunate because both
KERNEXEC and UDEREF are excellent hardening features.
</p>
<p class="secthead"><a name="doc_chap1_sect4">Hardening Xen</a></p>
<p>
Xen is an older virtualization technology than kvm, but similar in many
regards. It employs a hypervisor which boots a specialize host's kernel
(dom0). Once the host is up, it in turn runs guests (domU) ... TODO
</p>
<p class="secthead"><a name="doc_chap1_sect5">VMWare Workstation</a></p>
<p>
VMWare Workstation needs to link precompiled binaries against system
libraries in order to function.  Because Gentoo Hardened uses more secure
functions of GCC, VMWare Workstation cannot link against it.  Because
VMWare Workstation cannot link, it does not function.  In fact, using
VMWare Workstation at all on Hardened Gentoo led to a hard system reset.
</p>
<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2.
            </span>Resources</p>
<p>
KVM related resources:
</p>
<ul>
  <li><a href="http://en.gentoo-wiki.com/wiki/KVM">Setting up KVM on Gentoo
  Linux</a></li>
  <li><a href="http://www.linux-kvm.org/page/Virtio">Using Virtio Drivers in
  Linux</a></li>
</ul>
<br><p class="copyright">
	The contents of this document, unless otherwise expressly stated, are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">CC-BY-SA-2.5</a> license. The <a href="http://www.gentoo.org/main/en/name-logo.xml"> Gentoo Name and Logo Usage Guidelines </a> apply.
  </p>
<!--
  <rdf:RDF xmlns="http://web.resource.org/cc/"
      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
  
  <license rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
    
     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
     <requires rdf:resource="http://web.resource.org/cc/Notice" />
     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
  </License>
  </rdf:RDF>
--><br>
</td>
<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="hardened-virtualization.xml?style=printable">Print</a></p></td></tr>
<tr><td class="topsep" align="center"><p class="alttext">Page updated October 31, 2010</p></td></tr>
<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
Virtualization is a key component in current IT infrastructure. Although
one can easily harden a virtualized operating system instance, you still
require hardening rules on the host level as well. This guide gives you
insight on how to harden the host using Gentoo Hardened.
</p></td></tr>
<tr><td align="left" class="topsep"><p class="alttext">
  <a href="mailto:basile@opensource.dyc.edu" class="altlink"><b>Anthony G. Basile</b></a>
<br><i>Author</i><br></p></td></tr>
<tr lang="en"><td align="center" class="topsep">
<p class="alttext"><b>Donate</b> to support our development efforts.
        </p>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="http://www.gentoo.org/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
</form>
</td></tr>
<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
</table></td>
</tr></table></td></tr>
<tr><td colspan="2" align="right" class="infohead">
Copyright 2001-2012 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="http://www.gentoo.org/main/en/contact.xml">Contact us</a>.
</td></tr>
</table></body>
</html>