Re: [PEN-TEST] Sun E10K cross-domain testing

["Mark (Mookie)" <mark () ZANG COM>]

Hi,

> I was wondering if anyone has any experience with Sun Enterprise 10,000
> servers. Specifically, I have an E10K partitioned into a number of
> domains (or virtual machines, if you prefer). I want to ensure
> that no information can flow from one domain to another across the
> centerplane, and that one virtual machine cannot be used to attack
> another in this way.

In practice it's not possible to affect another domain via the centerplane
once the domains have been set up and hpost -C has run to configure the
centerplane. Each domain is isolated from each other by the ASICs on
the CP. Thus an ARBstop or Record Dump on one won't have any effect on any
other domains and there is no method to access the JTAG bus with any sort
of control. In the event of a hardware failure the layers underneath Solaris
will communicate with the control board and the fault information will be
transferred to the SSP, then a panic is delivered up the stack to the
running instance of Solaris, you can't go the other way. This activity is
still isolated from other boards.

One caveat is IDN, using the centerplane as a fast link between domains.
When multiple boards are connected into an IDN at boot time they have
the ability to crash other boards which may have different domains running
on them. This risk is well knwon and understood, the electrical isolation
is not implemented when you elect to create IDNs. Also the shared
memory buffers on each instance of Solaris on the IDN contain the same
information, but because of the practice of memory zeroing when allocating
RAM, you can't leak information that wasn't put there by an idn_* call.

The only way to attack other domains is via the SSP or the I/O connections.
Personally I'd go via the SSP method.

Cheers,
Mark.