| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-04-25 | |||
| 13:55:37 | efried | aspiers: If you want to give a brief off-the-cuff/anecdotal talk in the session, that would be most welcome. | |
| 13:55:53 | aspiers | efried: that might be possible. when is it? | |
| 13:55:57 | efried | ... | |
| 13:55:58 | sean-k-mooney | actuly i think these might be auto generated form teh metadefs | |
| 13:56:01 | mriedem | stephenfin: https://docs.openstack.org/glance/latest/admin/manage-images.html | |
| 13:56:07 | mriedem | sean-k-mooney: they are not | |
| 13:56:15 | mriedem | the useful-image-properties page is hand-written | |
| 13:56:26 | efried | aspiers: https://www.openstack.org/summit/denver-2019/summit-schedule/events/23620/nova-project-onboarding | |
| 13:56:40 | sean-k-mooney | oh ok ill update them so. thanks for the pointer | |
| 13:56:48 | kashyap | edleafe: On that traits patch, please see if I've answered your question | |
| 13:56:52 | mriedem | lyarwood: if you fix the alignment here https://review.opendev.org/#/c/655696/1/nova/virt/libvirt/driver.py i'm +2 | |
| 13:57:21 | kashyap | edleafe: Ah, you've actually responded; I just needed to refresh it | |
| 13:57:36 | edleafe | kashyap: damn, I'm fast! | |
| 13:58:14 | kashyap | Damn, what I thought was a drive-by is becoming a shaving a farm of yaks :D | |
| 13:58:21 | efried | kashyap: I was going to respond on that one too, with a summary. TLDR, what I said in my last response, do that split and "deprecate" the HW_CPU_AMD_SEV in favor of HW_CPU_X86_AMD_SEV | |
| 13:59:13 | kashyap | efried: By "deprecate", you mean just add a note that it's bogus, right? | |
| 13:59:46 | efried | yes | |
| 13:59:48 | sean-k-mooney | efried: just re reviews kashyap cpu selection spec and im fine with the new verions. thanks kashyap | |
| 13:59:59 | kashyap | sean-k-mooney: Thanks! | |
| 14:00:03 | edleafe | Yeah, since the trait won't ever be removed. More of a "we screwed up; don't use this one" note | |
| 14:00:21 | kashyap | sean-k-mooney: We'll get to debate fun details in the implementation :D I have a WIP post patch to introduce the infra, before it gets lost | |
| 14:00:39 | efried | kashyap: re edleafe's comment on the NO_SSB thing, I thought that wasn't so much a negative trait as advertising that "this CPU has had the horrible thing removed". | |
| 14:00:54 | efried | iow, absent that trait, you can't tell whether it's there or not | |
| 14:01:13 | efried | so we want that trait so the consumer can be sure the horrible thing is gone. | |
| 14:01:19 | kashyap | Exactly | |
| 14:01:24 | edleafe | efried: if that's the case, then rename it to a positive assertion of a capability | |
| 14:01:29 | kashyap | That's why I wanted to mention it. Let me read Ed's comment | |
| 14:01:35 | efried | edleafe: like SSB_REMOVED? | |
| 14:01:47 | edleafe | sure, something along those lines | |
| 14:01:51 | efried | edleafe: Would prefer to retain symmetry with the CPU traits themselves, though. | |
| 14:02:07 | kashyap | "NO_SSB" == No more SSB vulnerability on this host CPU -- isn't that clear enough? | |
| 14:02:08 | sean-k-mooney | kashyap: i would like to see two thing. 1 on sucessful validation print the cpu configurtion the guest will see as an info long. on failure pritn the requested combination, whant the host supports and what could not be supproted as an error log. | |
| 14:02:09 | efried | with the names from the architecture, that is | |
| 14:02:31 | efried | kashyap: IMO it is, and is preferable to renaming it to make it sound more positive | |
| 14:02:39 | efried | just need to get edleafe on board with that | |
| 14:02:59 | kashyap | Okay, I'll go re-read the comments. These flags have some dizzying acronyms | |
| 14:03:12 | sean-k-mooney | kashyap: im not sure we should be tracking vulnerblities as traits | |
| 14:03:29 | edleafe | efried: not having something isn't a capabilty. Being clean of some defect is. | |
| 14:03:29 | kashyap | sean-k-mooney: Huh, we're not | |
| 14:03:32 | stephenfin | sean-k-mooney: What happens if this isn't true? https://review.opendev.org/#/c/629589/27/nova/virt/libvirt/driver.py@8161 | |
| 14:03:37 | efried | edleafe: These are going to be consumed by people who are familiar with the arch and are looking for the equivalent trait, not people who are just casting around and trying to understand a trait based on its name. | |
| 14:03:47 | sean-k-mooney | NO_SSB kind of is | |
| 14:03:49 | kashyap | sean-k-mooney: It's a CPU flag. Please ask before you assume :-) | |
| 14:04:02 | sean-k-mooney | i know what it is | |
| 14:04:05 | sean-k-mooney | i was not assuming | |
| 14:04:17 | kashyap | Well, it's a CPU flag. We need to track it as a "trait", if you want to report that a given Compute host is no more vulnerable to it | |
| 14:04:25 | kashyap | Is something wrong with t? | |
| 14:04:28 | kashyap | s/t/it/ | |
| 14:04:50 | edleafe | kashyap: is it generally referred to as NO_SSB in the relevant documentation (asking because I have no idea) | |
| 14:04:58 | sean-k-mooney | if we have NO_SSB i can do traits:no_SSB=forbiden and then deploy a workload that expliot it to a host that has the vulnerablity | |
| 14:05:03 | kashyap | edleafe: Exactly what efried said. These are for admins who read their documentation (and they will be sufficiently rewarded) | |
| 14:05:11 | efried | edleafe: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi#l313 | |
| 14:06:09 | mriedem | tssurya: fyi in case you haven't seen this https://review.opendev.org/#/c/636947/ | |
| 14:06:22 | efried | edleafe: This set of traits is being mapped directly from that document | |
| 14:06:25 | mriedem | bauzas: ^ is a nice little perf improvement when listing AZs in a large cloud | |
| 14:06:38 | edleafe | efried: ok, I understand a bit more. | |
| 14:06:43 | bauzas | mriedem: okay | |
| 14:06:46 | efried | edleafe: sections important_cpu_features_intel_x86 and important_cpu_features_amd_x86 | |
| 14:06:49 | tssurya | mriedem: yeah I have it open | |
| 14:06:59 | bauzas | mriedem: FWIW, I'll be traveling starting tonight | |
| 14:07:02 | tssurya | thanks for doing that | |
| 14:07:08 | edleafe | That doc also defines things such as mutually exclusive traits, which os-traits and placement doesn't enforce | |
| 14:07:34 | sean-k-mooney | efried: edleafe i still think we need to consider the securtiy impact of having NO_SSB as a trait before we add it | |
| 14:07:35 | efried | edleafe: true story, but not really relevant; the driver is going to detect what's on the CPU and report that. | |
| 14:07:36 | mriedem | tssurya: thank avolkov | |
| 14:07:56 | kashyap | edleafe: Only 'amd-no-ssb | |
| 14:08:08 | kashyap | edleafe: Only 'amd-no-ssb' is the mutually exclusive trait. | |
| 14:08:29 | kashyap | Again, what efried said ^ (on driver detecting) | |
| 14:08:36 | edleafe | sean-k-mooney: what would the potential impact be? A CPU reporting it that is actually vulnerable to it? | |
| 14:08:45 | sean-k-mooney | yes | |
| 14:08:46 | tssurya | I tweaked a downstream patch when we opened that bug, never got around to doing it upstream | |
| 14:09:00 | sean-k-mooney | and then a user uploading an image that require a cpu with the vulnerablity | |
| 14:09:01 | efried | edleafe: sean-k-mooney is saying a malicious user could specify NO_SSB as a forbidden trait to deliberately land on a vulnerable host. | |
| 14:09:02 | kashyap | sean-k-mooney: Also what is "forbidden" in this context? | |
| 14:09:19 | efried | kashyap: We have the ability to specify a request with "DON'T land on a host if it has this trait" | |
| 14:09:23 | sean-k-mooney | kashyap: we support requireing traitns or selecting host that do not have a trait | |
| 14:09:28 | kashyap | efried: Ah-ha | |
| 14:09:44 | efried | kashyap: The placement request would look like required=!HW_CPU_X86_AMD_NO_SSB | |
| 14:09:47 | sean-k-mooney | so if we report either the presence or absence of ssbd | |
| 14:10:01 | efried | kashyap: From a flavor extra spec like trait:HW_CPU_X86_AMD_NO_SSB=forbidden IIRC | |
| 14:10:20 | sean-k-mooney | i can exploit that to target a host with the volnerablity with my payload | |
| 14:10:28 | efried | Yeah, I don't know if this is a problem though sean-k-mooney | |
| 14:10:29 | kashyap | Yeah, noted. | |
| 14:10:41 | edleafe | sean-k-mooney: so without that trait, attackers could just spin up random VMs and see if they are on a vulnerable host. Having the trait just makes those hosts easier to find. Is that it? | |
| 14:10:49 | kashyap | efried: Yeah, that's what I was wondering. The positives of having it outweigh some theoretical threat | |
| 14:10:51 | efried | The admin is responsible for putting together the flavors. Why would the admin do that? | |
| 14:10:56 | sean-k-mooney | edleafe: yes | |
| 14:11:18 | sean-k-mooney | i would like the openstack security team to weigh in on this personally | |
| 14:11:37 | efried | there's an email address for that, right? | |
| 14:11:46 | mriedem | efried: gibi: trying to recreate this TestRPC infinite recursion is getting frustrating :) https://review.opendev.org/#/c/654468/ - i'm thinking maybe push another change to oslo.config (or nova?) that sets the max recursion depth and see if that blows things up? | |
| 14:11:47 | sean-k-mooney | efried: users can upload image with traits request | |
| 14:11:59 | sean-k-mooney | so its not admin im worried about | |
| 14:12:00 | kashyap | efried: Yes, very good point on admin's responsibility | |
| 14:12:28 | efried | http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security | |
| 14:12:32 | gibi | mriedem: I also tried to reproduce it locally without success. Do you assume that if you set the recursion limit to small enough then the stack trace will not be truncated? | |
| 14:12:44 | efried | ugh, do you have to be subscribed to post to that? | |
| 14:13:00 | kashyap | efried: Not necessarily | |
| 14:13:05 | sean-k-mooney | efried: there is but we can also talk to them in person next week | |
| 14:13:09 | kashyap | efried: Mailman moderator can approve you | |
| 14:13:14 | sean-k-mooney | we will all be in the same place | |