https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0028&feed=atom&action=historyOSSN/OSSN-0028 - Revision history2024-03-28T17:37:25ZRevision history for this page on the wikiMediaWiki 1.28.2https://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0028&diff=128789&oldid=prevLhinds: /* Contacts / References */2016-07-22T09:41:03Z<p><span dir="auto"><span class="autocomment">Contacts / References</span></span></p>
<table class="diff diff-contentalign-left" data-mw="interface">
<col class='diff-marker' />
<col class='diff-content' />
<col class='diff-marker' />
<col class='diff-content' />
<tr style='vertical-align: top;' lang='en'>
<td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td>
<td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 09:41, 22 July 2016</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l59" >Line 59:</td>
<td colspan="2" class="diff-lineno">Line 59:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Contacts / References ===</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>=== Contacts / References ===</div></td></tr>
<tr><td colspan="2"> </td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">* Author: Nathan Kinder, Red Hat</ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0028</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0028</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1337349</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1337349</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* OpenStack Security ML : openstack-security@lists.openstack.org</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* OpenStack Security ML : openstack-security@lists.openstack.org</div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div></td><td class='diff-marker'> </td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div></td></tr>
<!-- diff cache key openstack_wiki:diff:version:1.11a:oldid:64287:newid:128789 -->
</table>Lhindshttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0028&diff=64287&oldid=prevNkinder: Created page with "__NOTOC__ == Nova leaks compute host SMBIOS serial number to guests == === Summary === When Nova is using the libvirt virtualization driver, the SMBIOS serial number supplie..."2014-10-03T19:18:24Z<p>Created page with "__NOTOC__ == Nova leaks compute host SMBIOS serial number to guests == === Summary === When Nova is using the libvirt virtualization driver, the SMBIOS serial number supplie..."</p>
<p><b>New page</b></p><div>__NOTOC__<br />
<br />
== Nova leaks compute host SMBIOS serial number to guests ==<br />
<br />
=== Summary ===<br />
When Nova is using the libvirt virtualization driver, the SMBIOS<br />
serial number supplied by libvirt is provided to the guest instances<br />
that are running on a compute node. This serial number may expose<br />
sensitive information about the underlying compute node hardware.<br />
<br />
=== Affected Services / Software ===<br />
Nova, Icehouse, Havana<br />
<br />
=== Discussion ===<br />
The 'serial' field in guest SMBIOS tables gets populated based on the<br />
libvirt reported UUID of the host hardware. The rationale is to allow<br />
correlation of guests running on the same host.<br />
<br />
Unfortunately some hardware vendors use a subset of the host UUID as a<br />
key for retrieving hardware support contract information without<br />
requiring any authentication. In these cases, exposing the host UUID to<br />
the guest is an information leak for those vendors.<br />
<br />
The exposed host UUID could theoretically be leveraged by a cloud user<br />
to get an approximate count of the number of unique hosts available to<br />
them in the cloud by launching many short lived VMs.<br />
<br />
=== Recommended Actions ===<br />
It is possible to override the use of the compute node's SMBIOS data by<br />
libvirt in /etc/libvirt/libvirtd.conf by setting the 'host_uuid'<br />
parameter. This allows setting an arbitrary UUID for identification<br />
purposes that doesn't leak any information about the real underlying<br />
hardware. It is advised to make use of this override ability to prevent<br />
potential exposure of information about the underlying compute node<br />
hardware.<br />
<br />
In the Juno release of OpenStack, Nova's libvirt driver allows the<br />
source of the host UUID to be controlled via a new 'sysinfo_serial'<br />
config parameter. This new parameter allows the following values:<br />
<br />
* 'auto' - try /etc/machine-id, fallback to libvirt reported host UUID (new default)<br />
* 'hardware' - always use libvirt host UUID (old default)<br />
* 'os' - always use /etc/machine-id, error if missing<br />
* 'none' - do not report any value to the guest<br />
<br />
<br />
In general, it is preferrable to use the /etc/machine-id UUID instead<br />
of the host hardware UUID. The former is a recent standard for Linux<br />
distros introduced by systemd to provide a UUID that is unique per<br />
operating system install. This means that even containers will see a<br />
separate /etc/machine-id value. This /etc/machine-id can be expected to<br />
be widely available in current and future distros. If this file is<br />
missing, it is still possible to fallback to the libvirt reported host<br />
UUID.<br />
<br />
Administrators concerned about exposing the ability to identity an<br />
underlying compute node by it's serial number may wish to disable<br />
reporting of any sysinfo serial field at all by using the 'none' value.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0028<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1337349<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinder