Xen thermal repair technology (basic understanding)

Xen Thermal repair technology

Content introduction ：Xen Is an open source virtual machine monitor , Developed by Cambridge University .
It's going to run up to... On a single computer 100 A full feature operating system . The operating system must be explicitly modified （“ transplant ”） In the Xen Up operation （ But provide compatibility for user applications ）. This makes Xen No special hardware support required , Can achieve high-performance virtualization .

One 、Xen Security vulnerability summary

Total release 125 individual Security vulnerabilities
among xsa-108 and xsa-123 It's a high-risk vulnerability
XSA-108
2014 year 10 month 1 Daily announcement
Can lead to Hypervisor Memory leaks to clients
XSA-123
2015 year 3 month 10 Daily announcement
Can cause the client instruction to be authorized

Two 、Xen How to repair security vulnerabilities

Cold patch method
After patching, restart the server to take effect
All customers VM must Shutdown
all VM Will be interrupted 10-30 minute
Mostly Xen Our operators are using

Hot patch mode
Dynamically apply patches to fix vulnerabilities
Customer VM No need to restart or shut down
Customer VM No perception of the repair process
Alibaba cloud has mastered the hot patch technology

3、 ... and 、Linux kernel Hotfix

1、 More mature in the industry Hotfix programme
Ksplice by Oracle
Ksplice by Suse
Ksplice by Redhat
Ksplice by Alibaba
2、 The implementation of kernel technology
（1） reserve Pre-Defined Interface
（2） Allow kernel insertion Module
（3） Have access to kernel memory
（4） Function level substitution
And kernel Hotfix comparison ,Xen hyperviso Hotfix The technical challenges are enormous

Four 、Xen Hypervisor The underlying architecture

5、 ... and 、Xen The challenge of hot repair

1、Xen yes Type-1 Hypervisor Memory is strictly isolated ;
2、Xen Hypervisor The loaded address is dynamic ;
3、Xen Hypervisor Block insertion is not supported ;

6、 ... and 、 How to access the Hpypervisor Memory

adopt DMA visit Xen Memory
structure DMA The ability to ask
Using the kernel Hotfix Replace Dom0 These two functions of the kernel
In the new map_sg/unmap_sg Add filtering logic to
Filter out specific DMA request , modify DMA Destination address

Normal file reading operation flow

File reading process during hot repair

4. Calculate the address of the repair code

（1） equipment DMA Only physical addresses can be used

（2）Hypervisor Loading process

（3）Hypervisor Hotfix Physical address calculation formula loading

（4）XSA-123

5. Machine code patch injection process

Determine the physical address of the code to be injected
from Hypervisor Read the machine code of the relevant code (4K)
And expect Pattern Is the comparison consistent
If consistent , Put the machine code Patch And read the code N Merge, Generate a new Patch
Suspend all VM function
Put the new Patch adopt DMA Write back to Hypervisor
Reply to all VM function
VM The shorter the pause, the better

6、 ... and 、 Summary

Security is a top priority in cloud computing business
Perfect safety problem handling plan
Thermal repair technology is very important for safe operation
Multi team collaboration is particularly important

7、 ... and . summary

Elastic computing is a typical reference of virtualization technology
1. Virtualization technology includes the following three points
CPU virtualization Memory virtualization IO virtualization
2.Xen and KVM It is the most popular open source virtualization system today
Supporting the world 70% The above cloud computing businesses
3.Xen Security vulnerability hot repair technology determines a company's operation ability
Alibaba cloud has the world's first Hypervisor Thermal repair technology

Reference material
Intel SDM:Intel 64 and IA-32 Architectures Software Developer Manuals
Elastic calculation
Xen
Xen Security vulnerabilities
KVM

Data collection comes from ： Alibaba cloud

Thank you for your , give the thumbs-up , Collection , Focus on , Comment on ！