diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2010-10-31 19:56:59 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2010-10-31 19:56:59 +0100 |
commit | e155a5a5bedd084000a601905c25eccd89a6b813 (patch) | |
tree | d9317c9c2561d208e85546f8161c0a618fd3fa32 | |
parent | Small fixes and language constructs (diff) | |
download | hardened-docs-e155a5a5bedd084000a601905c25eccd89a6b813.tar.gz hardened-docs-e155a5a5bedd084000a601905c25eccd89a6b813.tar.bz2 hardened-docs-e155a5a5bedd084000a601905c25eccd89a6b813.zip |
Adding hardened virtualization (guidexmlified)
-rw-r--r-- | hardened-virtualization.xml | 149 |
1 files changed, 149 insertions, 0 deletions
diff --git a/hardened-virtualization.xml b/hardened-virtualization.xml new file mode 100644 index 0000000..401b1d2 --- /dev/null +++ b/hardened-virtualization.xml @@ -0,0 +1,149 @@ +<?xml version='1.0' encoding='UTF-8'?> +<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/xorg-config.xml,v 1.42 2010/10/25 07:38:17 nightmorph Exp $ --> + +<guide> +<title>Gentoo Hardened Virtualization Guide</title> + +<author title="Author"> + <mail link="blueness"/> +</author> + +<abstract> +Virtualization is a key component in current IT infrastructure. Although +one can easily harden a virtualized operating system instance, you still +require hardening rules on the host level as well. This guide gives you +insight on how to harden the host using Gentoo Hardened. +</abstract> + +<!-- The content of this document is licensed under the CC-BY-SA license --> +<!-- See http://creativecommons.org/licenses/by-sa/2.5 --> +<license/> + +<version>1</version> +<date>2010-10-31</date> + +<chapter> +<title>Hardening a Virtualization Environment</title> +<section> +<title>Virtualization and Hardening?</title> +<body> + +<p> +The hardening of virtualized environments is growing in popularity. +Virtualization has the advantages of isolating services on various slim guests +running on a larger server, while hardening provides for enhanced security for +both the guests and host. In practice, however, getting the two to work +together is not always an easy task as the technologies employed by one often +interfer with the other. This is complicated by the fact that there many +implementations of virtualization and many degrees of hardening. This guide +aims to provide some clarity to the issues and outline some best practices. +</p> + +</body> +</section> +<section> +<title>Types of virtualization and degrees of hardening</title> +<body> + +<p> +This guide looks at virtualization using kvm, xen and vmware under hardening +by GRSEC/PaX. For each type of virtualization, we discuss what hardening +features work for the host and guests without either degrading performance +horribly or breaking completely. This is not a howto on setting up +virtualization since that is covered elsewhere; rather, we limit our +discussion to just what hardening features ought to be enabled or disable when +configuring the kernel of the host or guest operating systems. +</p> + +</body> +</section> +<section> +<title>Hardening KVM</title> +<body> + +<p> +KVM (Kernel-base Virtual Machine) provides virtualization on x86 and x86_64 +hosts that have the required hardware support (Intel-VT or AMD-V). The host +uses a general kernel module (kvm.ko), a processor specific module +(kvm-intel.ko or kvm-amd.ko), and a userland utility (qemu-kvm), to run the +guests. The guests can be configured to use emulated hardware (full +virtualization) or virtio (para virtualization). Paravirt has the advantage +of increasing performance and providing a common I/O interface between host +and guest. Resources for setting up kvm on gentoo can be found at the end +of this guide. +</p> + +<p> +As of this writing, there are no known restrictions on hardening for the +guest. Test of both x86 and x86_64 guests using either emulated hardware or +virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and +CONFIG_PAX_MEMORY_UDEREF, have been successfull. +</p> + +<p> +For the host, however, one must disable both CONFIG_PAX_KERNEXEC and +CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel +option, CONFIG_PAX_PER_CPU_PGD, which is know to break kvm. What is actually +happening is that the guest's performance is degraded to the point where it is +unusable, but doesn't crash, and the host is left with qemu-kvm in +uninterruptible sleep (state D when doing ps aux). Only rebooting the host +clears the issue. +</p> + +<p> +These tests were done using the 2.6.32 and 2.6.34 branches of the kernel with +GRSEC/PaX patch version 2.1.14 and 2.2.0 (see Gentoo bug <uri +link="https://bugs.gentoo.org/328623">#328623</uri>). However, it unlikely that +this problem will be solved anytime soon, which is unfortunate because both +KERNEXEC and UDEREF are excellent hardening features. +</p> + +</body> +</section> +<section> +<title>Hardening Xen</title> +<body> + +<p> +Xen is an older virtualization technology than kvm, but similar in many +regards. It employs a hypervisor which boots a specialize host's kernel +(dom0). Once the host is up, it in turn runs guests (domU) ... TODO +</p> + +<!-- TODO Complete this part --> + +</body> +</section> +<section> +<title>VMWare Workstation</title> +<body> + +<p> +TODO +</p> + +<!-- TODO Complete this part --> + +</body> +</section> +</chapter> + +<chapter> +<title>Resources</title> +<section> +<body> + +<p> +KVM related resources: +</p> + +<ul> + <li><uri link="http://en.gentoo-wiki.com/wiki/KVM">Setting up KVM on Gentoo Linux</uri></li> + <li><uri link="http://www.linux-kvm.org/page/Virtio">Using Virtio Drivers in Linux</uri></li> +</ul> + +</body> +</section> +</chapter> +</guide> |