Bug 1573042

Summary: [Docs][Security] Update section for TPS/KSM issues to Sec/Hardening Guide
Product: Red Hat OpenStack Reporter: Summer Long <slong>
Component: documentationAssignee: Martin Lopes <mlopes>
Status: CLOSED CURRENTRELEASE QA Contact: RHOS Documentation Team <rhos-docs>
Severity: high Docs Contact:
Priority: high    
Version: 12.0 (Pike)CC: lbopf, slong, srevivo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-01 03:47:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Summer Long 2018-04-30 01:49:42 UTC 
Description of problem:
4.1.1. Hypervisors in OpenStack
https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/security_and_hardening_guide/#hypervisors_in_openstack

This section has a good description of the KSM/TPS, but the security aspect needs to be emphasised (the PoC is no longer academic). Could you please add procedures for disabling these? Or add a link to the relevant doc? 

Version-Release number of selected component (if applicable):
12

Additional info:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/virtualization_tuning_and_optimization_guide/#sect-KSM-Deactivating_KSM
Comment 1 Summer Long 2018-04-30 01:55:02 UTC 
Or this: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/chap-ksm

Basically just need to ensure that the user is aware of the risk of a VM-to-VM attack on the same host, and tell them how to fix it by disabling KSM.
Comment 2 Summer Long 2018-04-30 04:15:22 UTC 
Here you go:

"Both kernel same-page merging (KSM) and transparent page sharing (TPS) are vulnerable to attack:

* Memory de-duplication systems are vulnerable to side-channel attacks. In academic studies, attackers were able to identify software packages and versions running on neighboring virtual machines as well as software downloads and other sensitive information through analyzing memory access times on the attacker VM.

* More importantly, row-hammer type attacks[0] have been
demonstrated against KSM to enact cross-VM modification of executable
memory. This means that a hostile VM can gain code-execution access to
other VMs on the same compute host.

If a cloud deployment requires the strong separation of tenants, as with public clouds and some private clouds, deployers should disable both TPS and KSM.

To disable KSM, refer to <link>
To disable TPS, refer to <link>"


[0]https://access.redhat.com/articles/1377393
Comment 4 Summer Long 2018-05-02 01:43:00 UTC 
Thanks Martin.  
* Because disabling KSM/TPS is RHEL specific, could you get the best reference from  the rhel folk? There must be a rhel product doc that has tps info?
* Except for the first sentence, most of that preceding paragraph could probably be combined with the first bullet point. side-channel...side-channel, etc.  Was going to edit it for you, but wouldn't let me :D

thanks, s
Comment 6 Summer Long 2018-05-21 01:57:09 UTC 
Thanks, Martin, text looks good (sorry, just got back from PTO). 
However, please check your links. TPS isn't the same as THP. In fact (went off and read more), looks like TPS is the vmware option for de-duplication. If there isn't a compute option for TPS, perhaps only include the link for disabling KSM?
Comment 10 Martin Lopes 2018-05-28 01:46:41 UTC 
Guide has been republished:

https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/12/html-single/security_and_hardening_guide/#hypervisors_in_openstack