venu_gopal
Occasional contributor

using CompositeID for windows and linux env

Hi,

we are using mac address as host id, however we identified a vulnerability, where same mac address can be assigned to another machine(specially vms). 

to resolve this vulnerability we are evaluating  using composite id. however there are few concerns from reading the documentation. 

1. is it possible to use HOSTID_ETHER and  DISK_SERIAL_NUM for both Windows and Linux enviornments? (documentation says DISK_SERIAL_NUM is only available for windows) 

2. Also DISK serial number is volume serial number or hdd manufacturers serial number?

if its volume serial number, it will again be easily changed or copied to another machine and we'll have the same vulnerability.

can you suggest/help in right direction.

Thanks,

Labels (1)
0 Kudos
7 Replies
jyadav
Revenera
Revenera

@venu_gopal  

DISK_SERIAL_NUM is only available for windows as its Windows volume serial number.
DISK serial number is volume serial number. In your use case(VM's) you can use VM_GENID ,The newest HostID is VM GenerationID. VM GenerationID was introduced by Microsoft. It was invented in order to solve issues occurring in Active Directory as a result of VM transition events such as clone and snapshot. GenerationID is a 128-bit value provided by the hypervisor to its VMs via the ACPI namespace of the virtual machine.
GenerationID is generally harder to spoof than VMID or MAC address in virtual environments. The advantages of Generation ID over the other two HostIDs are therefore
• harder to spoof
• the only HostID that changes on revert-to-snapshot
GenerationID has to be supported by both the hypervisor and by a native ACPI driver in the Guest OS. This identifier is available only in Windows VMs.

For composite hostid implementation you can go through the section "Hostids for Supported Systems" which will give you the list of hostid's supported which can be used for composition .

You can go through the Whitepaper on Virtualization to get more clarity on how license leakage can be avoided.

venu_gopal
Occasional contributor

Thank you for the information.

would VM_GENID also work for physical machines? both windows and linux?

right now for windows we can use ETHER, DISK_SERIAL_NUM as combination, but for linux there doesn't seem to be any relatively harder combination. apart from mac address, HOSTNAME, IPv4, IPv6 are very easy to spoof.

Is it possible to have HDD manufacturers serial number for both windows and linux os? or some way we can add a routine to get the HDD manufacturers serial number and use it.

 

0 Kudos

@venu_gopal  VM_GENID is specifically used for virtual machines for windows and VM_UUID for linux.

For Linux physical machine you can go for vendor defined hostid if certificate based licensing is in use or you can use Trusted Storage Model for better security.

The only supported hostid in linux are AMZN_AMI 
AMZN_EIP 
HOSTID_CONTAINER_ID 
HOSTID_ETHER 
HOSTID_INTERNET 
HOSTID_FLEXID9
HOSTID_FLEXID10
HOSTID_FLEXID9_DTYPE 
PHY_* 
VM_UUID

0 Kudos
venu_gopal
Occasional contributor

vendor defined id can be used. what do you mean by certificate based licensing?

 

0 Kudos

@venu_gopal Certificate based licensing is just another term for license/ file based licensing .

The license can be stored:
• In a license file—A text file, file_name.lic, whose contents are protected by signatures that are authenticated
by the FlexNet Publisher licensing components.
• In trusted storage—A secure location whose contents are encrypted. Licenses are stored as fulfillment records. Fulfillment records in trusted storage can be read only by FlexNet Publisher licensing components

0 Kudos
venu_gopal
Occasional contributor

That sounds good.

So, in case we use CompositeId,

for example for linux

CompositeId=HOSTID_ETHER, VM_UUID, VDH

for PC

CompositeId=HOSTID_MAC, VM_GENID, VDH

 

would that work for both virutualized and non-virtualized enviornemnts. on non-virtualized env;s having VM_UUID wont cause any issues and would simply be empty

is my understanding correct. i am asking because otherwise i would have to provide multiple utilities to end user so that he can generate compositeid for the target machine.

0 Kudos

@venu_gopal  We generally do not recommend using VM_UUID and VM_GENID for non-virtualized environments  as they are specifically used for Virtual Environments and we do not test these use cases.

 

The below articles might come handy to you for configuring VDH and Composite hostid

Steps to configure a combined Vendor Defined HostID and Composite HostID on Linux - Community (flexe...

 

Let me know if this helps !!

 

Steps to configure a combined Vendor Defined HostID and Composite HostID on Windows - Community (fle...

0 Kudos