diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2010-10-31 20:01:08 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2010-10-31 20:01:08 +0100 |
commit | 91de623d24dfa3bf769c00d217ff06517303195c (patch) | |
tree | ee7406e64c15e6572fee0d3f1f4a60dd3f28e5e5 | |
parent | Merge branch 'master' of git+ssh://git.overlays.gentoo.org/proj/hardened-docs (diff) | |
download | hardened-docs-91de623d24dfa3bf769c00d217ff06517303195c.tar.gz hardened-docs-91de623d24dfa3bf769c00d217ff06517303195c.tar.bz2 hardened-docs-91de623d24dfa3bf769c00d217ff06517303195c.zip |
adding HTML rendering of hardened virtualization
-rw-r--r-- | hardened-virtualization.html | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/hardened-virtualization.html b/hardened-virtualization.html new file mode 100644 index 0000000..ef43fef --- /dev/null +++ b/hardened-virtualization.html @@ -0,0 +1,145 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html lang="en"> +<head> +<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> +<link title="new" rel="stylesheet" href="/css/main.css" type="text/css"> +<link REL="shortcut icon" HREF="/favicon.ico" TYPE="image/x-icon"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages"> +<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives"> +<title>Gentoo Linux Documentation +-- + Gentoo Hardened Virtualization Guide</title> +</head> +<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0"> +<tr><td valign="top" height="125" bgcolor="#45347b"><a href="/"><img border="0" src="/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr> +<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr> +<td width="99%" class="content" valign="top" align="left"> +<br><h1>Gentoo Hardened Virtualization Guide</h1> +<form name="contents" action="http://www.gentoo.org"> +<b>Content</b>: + <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Hardening a Virtualization Environment</option> +<option value="#doc_chap2">2. Resources</option></select> +</form> +<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. + </span>Hardening a Virtualization Environment</p> +<p class="secthead"><a name="doc_chap1_sect1">Virtualization and Hardening?</a></p> +<p> +The hardening of virtualized environments is growing in popularity. +Virtualization has the advantages of isolating services on various slim guests +running on a larger server, while hardening provides for enhanced security for +both the guests and host. In practice, however, getting the two to work +together is not always an easy task as the technologies employed by one often +interfer with the other. This is complicated by the fact that there many +implementations of virtualization and many degrees of hardening. This guide +aims to provide some clarity to the issues and outline some best practices. +</p> +<p class="secthead"><a name="doc_chap1_sect2">Types of virtualization and degrees of hardening</a></p> +<p> +This guide looks at virtualization using kvm, xen and vmware under hardening +by GRSEC/PaX. For each type of virtualization, we discuss what hardening +features work for the host and guests without either degrading performance +horribly or breaking completely. This is not a howto on setting up +virtualization since that is covered elsewhere; rather, we limit our +discussion to just what hardening features ought to be enabled or disable when +configuring the kernel of the host or guest operating systems. +</p> +<p class="secthead"><a name="doc_chap1_sect3">Hardening KVM</a></p> +<p> +KVM (Kernel-base Virtual Machine) provides virtualization on x86 and x86_64 +hosts that have the required hardware support (Intel-VT or AMD-V). The host +uses a general kernel module (kvm.ko), a processor specific module +(kvm-intel.ko or kvm-amd.ko), and a userland utility (qemu-kvm), to run the +guests. The guests can be configured to use emulated hardware (full +virtualization) or virtio (para virtualization). Paravirt has the advantage +of increasing performance and providing a common I/O interface between host +and guest. Resources for setting up kvm on gentoo can be found at the end +of this guide. +</p> +<p> +As of this writing, there are no known restrictions on hardening for the +guest. Test of both x86 and x86_64 guests using either emulated hardware or +virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and +CONFIG_PAX_MEMORY_UDEREF, have been successfull. +</p> +<p> +For the host, however, one must disable both CONFIG_PAX_KERNEXEC and +CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel +option, CONFIG_PAX_PER_CPU_PGD, which is know to break kvm. What is actually +happening is that the guest's performance is degraded to the point where it is +unusable, but doesn't crash, and the host is left with qemu-kvm in +uninterruptible sleep (state D when doing ps aux). Only rebooting the host +clears the issue. +</p> +<p> +These tests were done using the 2.6.32 and 2.6.34 branches of the kernel with +GRSEC/PaX patch version 2.1.14 and 2.2.0 (see Gentoo bug <a href="https://bugs.gentoo.org/328623">#328623</a>). However, it unlikely that +this problem will be solved anytime soon, which is unfortunate because both +KERNEXEC and UDEREF are excellent hardening features. +</p> +<p class="secthead"><a name="doc_chap1_sect4">Hardening Xen</a></p> +<p> +Xen is an older virtualization technology than kvm, but similar in many +regards. It employs a hypervisor which boots a specialize host's kernel +(dom0). Once the host is up, it in turn runs guests (domU) ... TODO +</p> +<p class="secthead"><a name="doc_chap1_sect5">VMWare Workstation</a></p> +<p> +TODO +</p> +<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. + </span>Resources</p> +<p> +KVM related resources: +</p> +<ul> + <li><a href="http://en.gentoo-wiki.com/wiki/KVM">Setting up KVM on Gentoo Linux</a></li> + <li><a href="http://www.linux-kvm.org/page/Virtio">Using Virtio Drivers in Linux</a></li> +</ul> +<br><p class="copyright"> + The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons - + Attribution / Share Alike</a> license. + </p> +<!-- + <rdf:RDF xmlns="http://web.resource.org/cc/" + xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> + <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/"> + <permits rdf:resource="http://web.resource.org/cc/Reproduction" /> + <permits rdf:resource="http://web.resource.org/cc/Distribution" /> + <requires rdf:resource="http://web.resource.org/cc/Notice" /> + <requires rdf:resource="http://web.resource.org/cc/Attribution" /> + <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" /> + <requires rdf:resource="http://web.resource.org/cc/ShareAlike" /> + </License> + </rdf:RDF> +--><br> +</td> +<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px"> +<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="blueness?style=printable">Print</a></p></td></tr> +<tr><td class="topsep" align="center"><p class="alttext">Updated October 31, 2010</p></td></tr> +<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b> +Virtualization is a key component in current IT infrastructure. Although +one can easily harden a virtualized operating system instance, you still +require hardening rules on the host level as well. This guide gives you +insight on how to harden the host using Gentoo Hardened. +</p></td></tr> +<tr><td align="left" class="topsep"><p class="alttext"> + <a href="mailto:blueness@gentoo.org" class="altlink"><b>blueness</b></a> +<br><i>Author</i><br></p></td></tr> +<tr lang="en"><td align="center" class="topsep"> +<p class="alttext"><b>Donate</b> to support our development efforts. + </p> +<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> +<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo"> +</form> +</td></tr> +<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr> +</table></td> +</tr></table></td></tr> +<tr><td colspan="2" align="right" class="infohead"> +Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="/main/en/contact.xml">Contact us</a>. +</td></tr> +</table></body> +</html> |