Adding hardened virtualization (guidexmlified)

1 files changed, 149 insertions, 0 deletions

diff --git a/hardened-virtualization.xml b/hardened-virtualization.xml
new file mode 100644
index 0000000..401b1d2
--- /dev/null
+++ b/hardened-virtualization.xml
@@ -0,0 +1,149 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/doc/en/xorg-config.xml,v 1.42 2010/10/25 07:38:17 nightmorph Exp $ -->
+
+<guide>
+<title>Gentoo Hardened Virtualization Guide</title>
+
+<author title="Author">
+  <mail link="blueness"/>
+</author>
+
+<abstract>
+Virtualization is a key component in current IT infrastructure. Although
+one can easily harden a virtualized operating system instance, you still
+require hardening rules on the host level as well. This guide gives you
+insight on how to harden the host using Gentoo Hardened.
+</abstract>
+
+<!-- The content of this document is licensed under the CC-BY-SA license -->
+<!-- See http://creativecommons.org/licenses/by-sa/2.5 -->
+<license/>
+
+<version>1</version>
+<date>2010-10-31</date>
+
+<chapter>
+<title>Hardening a Virtualization Environment</title>
+<section>
+<title>Virtualization and Hardening?</title>
+<body>
+
+<p>
+The hardening of virtualized environments is growing in popularity.
+Virtualization has the advantages of isolating services on various slim guests
+running on a larger server, while hardening provides for enhanced security for
+both the guests and host. In practice, however, getting the two to work
+together is not always an easy task as the technologies employed by one often
+interfer with the other. This is complicated by the fact that there many
+implementations of virtualization and many degrees of hardening. This guide
+aims to provide some clarity to the issues and outline some best practices.
+</p>
+
+</body>
+</section>
+<section>
+<title>Types of virtualization and degrees of hardening</title>
+<body>
+
+<p>
+This guide looks at virtualization using kvm, xen and vmware under hardening
+by GRSEC/PaX. For each type of virtualization, we discuss what hardening
+features work for the host and guests without either degrading performance
+horribly or breaking completely. This is not a howto on setting up
+virtualization since that is covered elsewhere; rather, we limit our
+discussion to just what hardening features ought to be enabled or disable when
+configuring the kernel of the host or guest operating systems.
+</p>
+
+</body>
+</section>
+<section>
+<title>Hardening KVM</title>
+<body>
+
+<p>
+KVM (Kernel-base Virtual Machine) provides virtualization on x86 and x86_64
+hosts that have the required hardware support (Intel-VT or AMD-V). The host
+uses a general kernel module (kvm.ko), a processor specific module
+(kvm-intel.ko or kvm-amd.ko), and a userland utility (qemu-kvm), to run the
+guests. The guests can be configured to use emulated hardware (full
+virtualization) or virtio (para virtualization). Paravirt has the advantage
+of increasing performance and providing a common I/O interface between host
+and guest. Resources for setting up kvm on gentoo can be found at the end
+of this guide. 
+</p>
+
+<p>
+As of this writing, there are no known restrictions on hardening for the
+guest. Test of both x86 and x86_64 guests using either emulated hardware or
+virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and
+CONFIG_PAX_MEMORY_UDEREF, have been successfull.
+</p>
+
+<p>
+For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
+CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel
+option, CONFIG_PAX_PER_CPU_PGD, which is know to break kvm. What is actually
+happening is that the guest's performance is degraded to the point where it is
+unusable, but doesn't crash, and the host is left with qemu-kvm in
+uninterruptible sleep (state D when doing ps aux). Only rebooting the host
+clears the issue.
+</p>
+
+<p>
+These tests were done using the 2.6.32 and 2.6.34 branches of the kernel with
+GRSEC/PaX patch version 2.1.14 and 2.2.0 (see Gentoo bug <uri 
+link="https://bugs.gentoo.org/328623">#328623</uri>). However, it unlikely that
+this problem will be solved anytime soon, which is unfortunate because both
+KERNEXEC and UDEREF are excellent hardening features.
+</p>
+
+</body>
+</section>
+<section>
+<title>Hardening Xen</title>
+<body>
+
+<p>
+Xen is an older virtualization technology than kvm, but similar in many
+regards. It employs a hypervisor which boots a specialize host's kernel
+(dom0). Once the host is up, it in turn runs guests (domU) ... TODO
+</p>
+
+<!-- TODO Complete this part -->
+
+</body>
+</section>
+<section>
+<title>VMWare Workstation</title>
+<body>
+
+<p>
+TODO
+</p>
+
+<!-- TODO Complete this part -->
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Resources</title>
+<section>
+<body>
+
+<p>
+KVM related resources:
+</p>
+
+<ul>
+  <li><uri link="http://en.gentoo-wiki.com/wiki/KVM">Setting up KVM on Gentoo Linux</uri></li>
+  <li><uri link="http://www.linux-kvm.org/page/Virtio">Using Virtio Drivers in Linux</uri></li>
+</ul>
+
+</body>
+</section>
+</chapter>
+</guide>