Bug 1573042 - [Docs][Security] Update section for TPS/KSM issues to Sec/Hardening Guide
Summary: [Docs][Security] Update section for TPS/KSM issues to Sec/Hardening Guide
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: documentation
Version: 12.0 (Pike)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: Martin Lopes
QA Contact: RHOS Documentation Team
Depends On:
TreeView+ depends on / blocked
Reported: 2018-04-30 01:49 UTC by Summer Long
Modified: 2018-06-01 03:47 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-06-01 03:47:31 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Summer Long 2018-04-30 01:49:42 UTC
Description of problem:
4.1.1. Hypervisors in OpenStack

This section has a good description of the KSM/TPS, but the security aspect needs to be emphasised (the PoC is no longer academic). Could you please add procedures for disabling these? Or add a link to the relevant doc? 

Version-Release number of selected component (if applicable):

Additional info:

Comment 1 Summer Long 2018-04-30 01:55:02 UTC
Or this: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/virtualization_administration_guide/chap-ksm

Basically just need to ensure that the user is aware of the risk of a VM-to-VM attack on the same host, and tell them how to fix it by disabling KSM.

Comment 2 Summer Long 2018-04-30 04:15:22 UTC
Here you go:

"Both kernel same-page merging (KSM) and transparent page sharing (TPS) are vulnerable to attack:

* Memory de-duplication systems are vulnerable to side-channel attacks. In academic studies, attackers were able to identify software packages and versions running on neighboring virtual machines as well as software downloads and other sensitive information through analyzing memory access times on the attacker VM.

* More importantly, row-hammer type attacks[0] have been
demonstrated against KSM to enact cross-VM modification of executable
memory. This means that a hostile VM can gain code-execution access to
other VMs on the same compute host.

If a cloud deployment requires the strong separation of tenants, as with public clouds and some private clouds, deployers should disable both TPS and KSM.

To disable KSM, refer to <link>
To disable TPS, refer to <link>"


Comment 4 Summer Long 2018-05-02 01:43:00 UTC
Thanks Martin.  
* Because disabling KSM/TPS is RHEL specific, could you get the best reference from  the rhel folk? There must be a rhel product doc that has tps info?
* Except for the first sentence, most of that preceding paragraph could probably be combined with the first bullet point. side-channel...side-channel, etc.  Was going to edit it for you, but wouldn't let me :D

thanks, s

Comment 6 Summer Long 2018-05-21 01:57:09 UTC
Thanks, Martin, text looks good (sorry, just got back from PTO). 
However, please check your links. TPS isn't the same as THP. In fact (went off and read more), looks like TPS is the vmware option for de-duplication. If there isn't a compute option for TPS, perhaps only include the link for disabling KSM?

Note You need to log in before you can comment on or make changes to this bug.