On 7 Jul 2020, at 9:37, Pavel Machek wrote:
Please go through the thread and try to understand it.
You'd need syscalls per get_randomness(), not per migration.
I think one check per get_randomness() is sufficient, though putting it at the end of the critical section rather than the beginning helps.
get_randomness( int len, void *out )
{
retry:
/* Generate random data */
*out = rng(len);
if (vm_was_cloned)
goto retry;
}
At that point if there is a VM snapshot event .. it happens in the callers context and it’s the callers job to mitigate it, and the caller can use the same trick if neccessary.
Note though; the security issues arise when a snapshot is being restored more than once. For those cases it seems very reasonable for the snapshot takers to make the image quiescent prior to snapshotting, to further reduce the risk of things like the snapshot occurring in the middle of a different critical section. The mechanism here is about communicating the snapshot to libraries which are self-contained.
