| Posted | Nick | Remark | |
|---|---|---|---|
| #openstack-nova - 2019-04-25 | |||
| 14:01:29 | kashyap | That's why I wanted to mention it. Let me read Ed's comment | |
| 14:01:35 | efried | edleafe: like SSB_REMOVED? | |
| 14:01:47 | edleafe | sure, something along those lines | |
| 14:01:51 | efried | edleafe: Would prefer to retain symmetry with the CPU traits themselves, though. | |
| 14:02:07 | kashyap | "NO_SSB" == No more SSB vulnerability on this host CPU -- isn't that clear enough? | |
| 14:02:08 | sean-k-mooney | kashyap: i would like to see two thing. 1 on sucessful validation print the cpu configurtion the guest will see as an info long. on failure pritn the requested combination, whant the host supports and what could not be supproted as an error log. | |
| 14:02:09 | efried | with the names from the architecture, that is | |
| 14:02:31 | efried | kashyap: IMO it is, and is preferable to renaming it to make it sound more positive | |
| 14:02:39 | efried | just need to get edleafe on board with that | |
| 14:02:59 | kashyap | Okay, I'll go re-read the comments. These flags have some dizzying acronyms | |
| 14:03:12 | sean-k-mooney | kashyap: im not sure we should be tracking vulnerblities as traits | |
| 14:03:29 | kashyap | sean-k-mooney: Huh, we're not | |
| 14:03:29 | edleafe | efried: not having something isn't a capabilty. Being clean of some defect is. | |
| 14:03:32 | stephenfin | sean-k-mooney: What happens if this isn't true? https://review.opendev.org/#/c/629589/27/nova/virt/libvirt/driver.py@8161 | |
| 14:03:37 | efried | edleafe: These are going to be consumed by people who are familiar with the arch and are looking for the equivalent trait, not people who are just casting around and trying to understand a trait based on its name. | |
| 14:03:47 | sean-k-mooney | NO_SSB kind of is | |
| 14:03:49 | kashyap | sean-k-mooney: It's a CPU flag. Please ask before you assume :-) | |
| 14:04:02 | sean-k-mooney | i know what it is | |
| 14:04:05 | sean-k-mooney | i was not assuming | |
| 14:04:17 | kashyap | Well, it's a CPU flag. We need to track it as a "trait", if you want to report that a given Compute host is no more vulnerable to it | |
| 14:04:25 | kashyap | Is something wrong with t? | |
| 14:04:28 | kashyap | s/t/it/ | |
| 14:04:50 | edleafe | kashyap: is it generally referred to as NO_SSB in the relevant documentation (asking because I have no idea) | |
| 14:04:58 | sean-k-mooney | if we have NO_SSB i can do traits:no_SSB=forbiden and then deploy a workload that expliot it to a host that has the vulnerablity | |
| 14:05:03 | kashyap | edleafe: Exactly what efried said. These are for admins who read their documentation (and they will be sufficiently rewarded) | |
| 14:05:11 | efried | edleafe: https://git.qemu.org/?p=qemu.git;a=blob;f=docs/qemu-cpu-models.texi#l313 | |
| 14:06:09 | mriedem | tssurya: fyi in case you haven't seen this https://review.opendev.org/#/c/636947/ | |
| 14:06:22 | efried | edleafe: This set of traits is being mapped directly from that document | |
| 14:06:25 | mriedem | bauzas: ^ is a nice little perf improvement when listing AZs in a large cloud | |
| 14:06:38 | edleafe | efried: ok, I understand a bit more. | |
| 14:06:43 | bauzas | mriedem: okay | |
| 14:06:46 | efried | edleafe: sections important_cpu_features_intel_x86 and important_cpu_features_amd_x86 | |
| 14:06:49 | tssurya | mriedem: yeah I have it open | |
| 14:06:59 | bauzas | mriedem: FWIW, I'll be traveling starting tonight | |
| 14:07:02 | tssurya | thanks for doing that | |
| 14:07:08 | edleafe | That doc also defines things such as mutually exclusive traits, which os-traits and placement doesn't enforce | |
| 14:07:34 | sean-k-mooney | efried: edleafe i still think we need to consider the securtiy impact of having NO_SSB as a trait before we add it | |
| 14:07:35 | efried | edleafe: true story, but not really relevant; the driver is going to detect what's on the CPU and report that. | |
| 14:07:36 | mriedem | tssurya: thank avolkov | |
| 14:07:56 | kashyap | edleafe: Only 'amd-no-ssb | |
| 14:08:08 | kashyap | edleafe: Only 'amd-no-ssb' is the mutually exclusive trait. | |
| 14:08:29 | kashyap | Again, what efried said ^ (on driver detecting) | |
| 14:08:36 | edleafe | sean-k-mooney: what would the potential impact be? A CPU reporting it that is actually vulnerable to it? | |
| 14:08:45 | sean-k-mooney | yes | |
| 14:08:46 | tssurya | I tweaked a downstream patch when we opened that bug, never got around to doing it upstream | |
| 14:09:00 | sean-k-mooney | and then a user uploading an image that require a cpu with the vulnerablity | |
| 14:09:01 | efried | edleafe: sean-k-mooney is saying a malicious user could specify NO_SSB as a forbidden trait to deliberately land on a vulnerable host. | |
| 14:09:02 | kashyap | sean-k-mooney: Also what is "forbidden" in this context? | |
| 14:09:19 | efried | kashyap: We have the ability to specify a request with "DON'T land on a host if it has this trait" | |
| 14:09:23 | sean-k-mooney | kashyap: we support requireing traitns or selecting host that do not have a trait | |
| 14:09:28 | kashyap | efried: Ah-ha | |
| 14:09:44 | efried | kashyap: The placement request would look like required=!HW_CPU_X86_AMD_NO_SSB | |
| 14:09:47 | sean-k-mooney | so if we report either the presence or absence of ssbd | |
| 14:10:01 | efried | kashyap: From a flavor extra spec like trait:HW_CPU_X86_AMD_NO_SSB=forbidden IIRC | |
| 14:10:20 | sean-k-mooney | i can exploit that to target a host with the volnerablity with my payload | |
| 14:10:28 | efried | Yeah, I don't know if this is a problem though sean-k-mooney | |
| 14:10:29 | kashyap | Yeah, noted. | |
| 14:10:41 | edleafe | sean-k-mooney: so without that trait, attackers could just spin up random VMs and see if they are on a vulnerable host. Having the trait just makes those hosts easier to find. Is that it? | |
| 14:10:49 | kashyap | efried: Yeah, that's what I was wondering. The positives of having it outweigh some theoretical threat | |
| 14:10:51 | efried | The admin is responsible for putting together the flavors. Why would the admin do that? | |
| 14:10:56 | sean-k-mooney | edleafe: yes | |
| 14:11:18 | sean-k-mooney | i would like the openstack security team to weigh in on this personally | |
| 14:11:37 | efried | there's an email address for that, right? | |
| 14:11:46 | mriedem | efried: gibi: trying to recreate this TestRPC infinite recursion is getting frustrating :) https://review.opendev.org/#/c/654468/ - i'm thinking maybe push another change to oslo.config (or nova?) that sets the max recursion depth and see if that blows things up? | |
| 14:11:47 | sean-k-mooney | efried: users can upload image with traits request | |
| 14:11:59 | sean-k-mooney | so its not admin im worried about | |
| 14:12:00 | kashyap | efried: Yes, very good point on admin's responsibility | |
| 14:12:28 | efried | http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security | |
| 14:12:32 | gibi | mriedem: I also tried to reproduce it locally without success. Do you assume that if you set the recursion limit to small enough then the stack trace will not be truncated? | |
| 14:12:44 | efried | ugh, do you have to be subscribed to post to that? | |
| 14:13:00 | kashyap | efried: Not necessarily | |
| 14:13:05 | sean-k-mooney | efried: there is but we can also talk to them in person next week | |
| 14:13:09 | kashyap | efried: Mailman moderator can approve you | |
| 14:13:14 | sean-k-mooney | we will all be in the same place | |
| 14:13:29 | kashyap | sean-k-mooney: In-person, things get too long-winded, and they get lost. | |
| 14:13:32 | efried | sean-k-mooney: Okay, so maybe we need to have an explicit check for such traits and disallow them from image meta? | |
| 14:13:34 | gibi | mriedem: anyhow sounds like a good idea | |
| 14:13:36 | mriedem | gibi: that's the idea | |
| 14:13:50 | sean-k-mooney | efried: maybe | |
| 14:13:54 | mriedem | alternatively, and this is probably easier, just change my oslo.config change from logging a traceback whe it hits a recursion of 3 to just raise | |
| 14:13:58 | mriedem | i'll do that first | |
| 14:14:09 | efried | sean-k-mooney, kashyap: So is one of you going to compose an email? Please copy me. (I'm not subscribed to that list.) | |
| 14:14:23 | stephenfin | ralonsoh: It's a nit, but any chance you can fix this before we merge and backport? https://review.opendev.org/#/c/655332/4/vif_plug_linux_bridge/linux_net.py | |
| 14:14:40 | kashyap | efried: I'm not subscribed either. But will do, if I write. | |
| 14:14:47 | efried | thanks. | |
| 14:15:17 | sean-k-mooney | ok as i said im sure we can grab 10 mins with them next week at the ptg/fourm too | |
| 14:15:45 | kashyap | Also, "exploiting" here is all hand-wavy, and requires some serious competency, and timing to take advantage of such things. | |
| 14:15:46 | sean-k-mooney | efried: and yes we could have a blacklist of traits that cant be in the image | |
| 14:16:07 | sean-k-mooney | kashyap: sure but not allo fo them do | |
| 14:16:09 | efried | sean-k-mooney: Security people will tell you it should be a whitelist :( | |
| 14:16:20 | kashyap | sean-k-mooney: The thing is, I'll forget it in 5 seconds. My memory is worse than a bumblebee's (less than 8 seconds) | |
| 14:16:28 | sean-k-mooney | well the sepc said that too if i recall | |
| 14:16:30 | efried | or a goldfish | |
| 14:16:33 | efried | did we have this conversation? | |
| 14:16:34 | sean-k-mooney | but we never implemented it | |
| 14:16:43 | kashyap | efried: Heh, I guess so | |
| 14:16:47 | efried | and you forgot | |
| 14:16:50 | efried | typical | |
| 14:17:47 | efried | (My memory is pretty unpredictable. Some things I remember forever, some I need hammered in a thousand times and still can't hold onto.) | |
| 14:17:48 | kashyap | efried: Yeah. On the other hand, we (I) should work towards getting the rest of the "uncontroversial" triats in, as that helps admins _today_ | |