1% Live Patching 2% Revision 1 3 4\clearpage 5 6# Basics 7 8---------------- ---------------------------------------------------- 9 Status: **Supported** 10 11 Architecture: x86 12 13 Status: **Tech Preview/Experimental** 14 15 Architecture: ARM 16 17 Component: Hypervisor, toolstack 18---------------- ---------------------------------------------------- 19 20 21# Details 22 23Xen Live Patching has been available as tech preview feature since Xen 244.7 and has now had a couple of releases to stabilize. Xen Live patching 25has been used by multiple vendors to fix several real-world security 26issues without any severe bugs encountered. Additionally, there are now 27tests in OSSTest that test live patching to ensure that no regressions 28are introduced. 29 30Based on the amount of testing and usage it has had, we are ready to 31declare live patching as a 'Supported' feature on x86. 32 33Live patching is slightly peculiar when it comes to support because it 34allows the host administrator to break their system rather easily 35depending on the content of the live patch. Because of this, it is 36worth detailing the scope of security support: 37 381) Unprivileged access to live patching operations: 39 Live patching operations should only be accessible to privileged 40 guests and it shall be treated as a security issue if this is not 41 the case. 42 432) Bugs in the patch-application code such that vulnerabilities exist 44 after application: 45 If a correct live patch is loaded but it is not applied correctly 46 such that it might result in an insecure system (e.g. not all 47 functions are patched), it shall be treated as a security issue. 48 493) Bugs in livepatch-build-tools creating an incorrect live patch that 50 results in an insecure host: 51 If livepatch-build-tools creates an incorrect live patch that 52 results in an insecure host, this shall not be considered a security 53 issue. A live patch should be checked to verify that it is valid 54 before loading. 55 564) Loading an incorrect live patch that results in an insecure host or 57 host crash: 58 If a live patch (whether created using livepatch-build-tools or some 59 alternative) is loaded and it results in an insecure host or host 60 crash due to the content of the live patch being incorrect or the 61 issue being inappropriate to live patch, this is not considered as a 62 security issue. 63 645) Bugs in the live patch parsing code (the ELF loader): 65 Bugs in the live patch parsing code such as out-of-bounds reads 66 caused by invalid ELF files are not considered to be security issues 67 because the it can only be triggered by a privileged domain. 68 696) Bugs which allow a guest to prevent the application of a livepatch: 70 A guest should not be able to prevent the application of a live 71 patch. If an unprivileged guest can somehow prevent the application 72 of a live patch despite pausing it (xl pause ...), it shall be 73 treated as a security issue. 74 75Note: It is expected that live patches are tested in a test environment 76before being used in production to avoid unexpected issues. In 77particular, to avoid the issues described by (3), (4), & (5). 78 79There are also some generic security questions which are worth asking: 80 811) Is guest->host privilege escalation possible? 82 83The new live patching sysctl subops are only accessible to privileged 84domains and this is tested by OSSTest with an XTF test. 85There is a caveat -- an incorrect live patch can introduce a guest->host 86privilege escalation. 87 882) Is guest user->guest kernel escalation possible? 89 90No, although an incorrect live patch can introduce a guest user->guest 91kernel privilege escalation. 92 933) Is there any information leakage? 94 95The new live patching sysctl subops are only accessible to privileged 96domains so it is not possible for an unprivileged guest to access the 97list of loaded live patches. This is tested by OSSTest with an XTF test. 98There is a caveat -- an incorrect live patch can introduce an 99information leakage. 100 1014) Can a Denial-of-Service be triggered? 102 103There are no known ways that an unprivileged guest can prevent a live 104patch from being loaded. 105Once again, there is a caveat that an incorrect live patch can introduce 106an arbitrary denial of service. 107