adding HTML rendering of hardened virtualization

1 files changed, 145 insertions, 0 deletions

diff --git a/hardened-virtualization.html b/hardened-virtualization.html
new file mode 100644
index 0000000..ef43fef
--- /dev/null
+++ b/hardened-virtualization.html
@@ -0,0 +1,145 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+<link title="new" rel="stylesheet" href="/css/main.css" type="text/css">
+<link REL="shortcut icon" HREF="/favicon.ico" TYPE="image/x-icon">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/www-gentoo-org.xml" title="Gentoo Website">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/forums-gentoo-org.xml" title="Gentoo Forums">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/bugs-gentoo-org.xml" title="Gentoo Bugzilla">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/packages-gentoo-org.xml" title="Gentoo Packages">
+<link rel="search" type="application/opensearchdescription+xml" href="http://www.gentoo.org/search/archives-gentoo-org.xml" title="Gentoo List Archives">
+<title>Gentoo Linux Documentation
+--
+  Gentoo Hardened Virtualization Guide</title>
+</head>
+<body style="margin:0px;" bgcolor="#ffffff"><table width="100%" border="0" cellspacing="0" cellpadding="0">
+<tr><td valign="top" height="125" bgcolor="#45347b"><a href="/"><img border="0" src="/images/gtop-www.jpg" alt="Gentoo Logo"></a></td></tr>
+<tr><td valign="top" align="right" colspan="1" bgcolor="#ffffff"><table border="0" cellspacing="0" cellpadding="0" width="100%"><tr>
+<td width="99%" class="content" valign="top" align="left">
+<br><h1>Gentoo Hardened Virtualization Guide</h1>
+<form name="contents" action="http://www.gentoo.org">
+<b>Content</b>:
+        <select name="url" size="1" OnChange="location.href=form.url.options[form.url.selectedIndex].value" style="font-family:sans-serif,Arial,Helvetica"><option value="#doc_chap1">1. Hardening a Virtualization Environment</option>
+<option value="#doc_chap2">2. Resources</option></select>
+</form>
+<p class="chaphead"><a name="doc_chap1"></a><span class="chapnum">1. 
+            </span>Hardening a Virtualization Environment</p>
+<p class="secthead"><a name="doc_chap1_sect1">Virtualization and Hardening?</a></p>
+<p>
+The hardening of virtualized environments is growing in popularity.
+Virtualization has the advantages of isolating services on various slim guests
+running on a larger server, while hardening provides for enhanced security for
+both the guests and host. In practice, however, getting the two to work
+together is not always an easy task as the technologies employed by one often
+interfer with the other. This is complicated by the fact that there many
+implementations of virtualization and many degrees of hardening. This guide
+aims to provide some clarity to the issues and outline some best practices.
+</p>
+<p class="secthead"><a name="doc_chap1_sect2">Types of virtualization and degrees of hardening</a></p>
+<p>
+This guide looks at virtualization using kvm, xen and vmware under hardening
+by GRSEC/PaX. For each type of virtualization, we discuss what hardening
+features work for the host and guests without either degrading performance
+horribly or breaking completely. This is not a howto on setting up
+virtualization since that is covered elsewhere; rather, we limit our
+discussion to just what hardening features ought to be enabled or disable when
+configuring the kernel of the host or guest operating systems.
+</p>
+<p class="secthead"><a name="doc_chap1_sect3">Hardening KVM</a></p>
+<p>
+KVM (Kernel-base Virtual Machine) provides virtualization on x86 and x86_64
+hosts that have the required hardware support (Intel-VT or AMD-V). The host
+uses a general kernel module (kvm.ko), a processor specific module
+(kvm-intel.ko or kvm-amd.ko), and a userland utility (qemu-kvm), to run the
+guests. The guests can be configured to use emulated hardware (full
+virtualization) or virtio (para virtualization). Paravirt has the advantage
+of increasing performance and providing a common I/O interface between host
+and guest. Resources for setting up kvm on gentoo can be found at the end
+of this guide. 
+</p>
+<p>
+As of this writing, there are no known restrictions on hardening for the
+guest. Test of both x86 and x86_64 guests using either emulated hardware or
+virtio, with all hardening features, including CONFIG_PAX_KERNEXEC and
+CONFIG_PAX_MEMORY_UDEREF, have been successfull.
+</p>
+<p>
+For the host, however, one must disable both CONFIG_PAX_KERNEXEC and
+CONFIG_PAX_MEMORY_UDEREF. Either of these will set an invisible kernel
+option, CONFIG_PAX_PER_CPU_PGD, which is know to break kvm. What is actually
+happening is that the guest's performance is degraded to the point where it is
+unusable, but doesn't crash, and the host is left with qemu-kvm in
+uninterruptible sleep (state D when doing ps aux). Only rebooting the host
+clears the issue.
+</p>
+<p>
+These tests were done using the 2.6.32 and 2.6.34 branches of the kernel with
+GRSEC/PaX patch version 2.1.14 and 2.2.0 (see Gentoo bug <a href="https://bugs.gentoo.org/328623">#328623</a>). However, it unlikely that
+this problem will be solved anytime soon, which is unfortunate because both
+KERNEXEC and UDEREF are excellent hardening features.
+</p>
+<p class="secthead"><a name="doc_chap1_sect4">Hardening Xen</a></p>
+<p>
+Xen is an older virtualization technology than kvm, but similar in many
+regards. It employs a hypervisor which boots a specialize host's kernel
+(dom0). Once the host is up, it in turn runs guests (domU) ... TODO
+</p>
+<p class="secthead"><a name="doc_chap1_sect5">VMWare Workstation</a></p>
+<p>
+TODO
+</p>
+<p class="chaphead"><a name="doc_chap2"></a><span class="chapnum">2. 
+            </span>Resources</p>
+<p>
+KVM related resources:
+</p>
+<ul>
+  <li><a href="http://en.gentoo-wiki.com/wiki/KVM">Setting up KVM on Gentoo Linux</a></li>
+  <li><a href="http://www.linux-kvm.org/page/Virtio">Using Virtio Drivers in Linux</a></li>
+</ul>
+<br><p class="copyright">
+    The contents of this document are licensed under the <a href="http://creativecommons.org/licenses/by-sa/2.5">Creative Commons -
+    Attribution / Share Alike</a> license.
+  </p>
+<!--
+  <rdf:RDF xmlns="http://web.resource.org/cc/"
+      xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+  <License rdf:about="http://creativecommons.org/licenses/by-sa/2.5/">
+     <permits rdf:resource="http://web.resource.org/cc/Reproduction" />
+     <permits rdf:resource="http://web.resource.org/cc/Distribution" />
+     <requires rdf:resource="http://web.resource.org/cc/Notice" />
+     <requires rdf:resource="http://web.resource.org/cc/Attribution" />
+     <permits rdf:resource="http://web.resource.org/cc/DerivativeWorks" />
+     <requires rdf:resource="http://web.resource.org/cc/ShareAlike" />
+  </License>
+  </rdf:RDF>
+--><br>
+</td>
+<td width="1%" bgcolor="#dddaec" valign="top"><table border="0" cellspacing="4px" cellpadding="4px">
+<tr><td class="topsep" align="center"><p class="altmenu"><a title="View a printer-friendly version" class="altlink" href="blueness?style=printable">Print</a></p></td></tr>
+<tr><td class="topsep" align="center"><p class="alttext">Updated October 31, 2010</p></td></tr>
+<tr><td class="topsep" align="left"><p class="alttext"><b>Summary: </b>
+Virtualization is a key component in current IT infrastructure. Although
+one can easily harden a virtualized operating system instance, you still
+require hardening rules on the host level as well. This guide gives you
+insight on how to harden the host using Gentoo Hardened.
+</p></td></tr>
+<tr><td align="left" class="topsep"><p class="alttext">
+  <a href="mailto:blueness@gentoo.org" class="altlink"><b>blueness</b></a>
+<br><i>Author</i><br></p></td></tr>
+<tr lang="en"><td align="center" class="topsep">
+<p class="alttext"><b>Donate</b> to support our development efforts.
+        </p>
+<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
+<input type="hidden" name="cmd" value="_xclick"><input type="hidden" name="business" value="paypal@gentoo.org"><input type="hidden" name="item_name" value="Gentoo Linux Support"><input type="hidden" name="item_number" value="1000"><input type="hidden" name="image_url" value="/images/paypal.png"><input type="hidden" name="no_shipping" value="1"><input type="hidden" name="return" value="http://www.gentoo.org"><input type="hidden" name="cancel_return" value="http://www.gentoo.org"><input type="image" src="http://images.paypal.com/images/x-click-but21.gif" name="submit" alt="Donate to Gentoo">
+</form>
+</td></tr>
+<tr lang="en"><td align="center"><iframe src="http://sidebar.gentoo.org" scrolling="no" width="125" height="850" frameborder="0" style="border:0px padding:0x" marginwidth="0" marginheight="0"><p>Your browser does not support iframes.</p></iframe></td></tr>
+</table></td>
+</tr></table></td></tr>
+<tr><td colspan="2" align="right" class="infohead">
+Copyright 2001-2010 Gentoo Foundation, Inc. Questions, Comments? <a class="highlight" href="/main/en/contact.xml">Contact us</a>.
+</td></tr>
+</table></body>
+</html>