Xen project Mailing List

[MirageOS-devel] MirageOS AppVMs on Qubes

To: "mirageos-devel@xxxxxxxxxxxxxxxxxxxx" <mirageos-devel@xxxxxxxxxxxxxxxxxxxx>

From: Thomas Leonard <talex5@xxxxxxxxx>

Date: Mon, 23 Nov 2015 11:15:28 +0000

Delivery-date: Mon, 23 Nov 2015 11:15:36 +0000

List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

QubesOS is a security-focused desktop OS that runs multiple isolated VMs under Xen. Typically, these run Linux. For example, I use a Fedora VM for email and a Debian VM for development. There is discussion on the qubes mailing list at the moment about using unikernel VMs: https://groups.google.com/forum/#!topic/qubes-users/h03-1hiNMCc I've written a simple test unikernel [1] that supports Qubes' qrexec protocol. This allows other domains to send command requests to the VM. If approved by the dom0 policy, a two-way channel (stdin/stdout) is established between the requesting VM and the unikernel. qrexec is built on top of vchan, which was easy to support thanks to David Scott's ocaml-vchan library. I've also written a tool [2] to let you upload unikernels built in an AppVM to dom0 and run them easily. For example: $ mirage configure --xen $ make $ test-mirage mir-qubes-test.xen Waiting for 'Ready'... OK Uploading 'mir-qubes-test.xen' (4187256 bytes) Waiting for 'Booting'... OK --> Creating volatile image: /var/lib/qubes/appvms/mirage-test/volatile.img... --> Loading the VM (type = AppVM)... --> Starting Qubes DB... --> Setting Qubes DB info for the VM... --> Updating firewall rules... --> Starting the VM... --> Starting the qrexec daemon... Waiting for VM's qrexec agent.connected MirageOS booting... Initialising timer interface Initialising console ... done. info: Starting qrexec agent; waiting for client... info: Got connection info: Handshake done; client version is 2 It currently offers "echo" and "quit" services. e.g. from dom0: [tal@dom0 bin]$ qvm-run -p --nogui mirage-test echo Hi user! Please enter a string: Hello You wrote "Hello". Bye. If anyone is interested in helping out, let me know! I've added a pioneer project [3] to replace their existing FirewallVM with a Mirage unikernel, as one possibility. We also need basic QubesDB support and some kind of GUId so that Qubes will believe the VM has started (it assumes every VM provides a GUI currently). [1] https://github.com/talex5/qubes-test-mirage [2] https://github.com/talex5/mirage-qubes [3] https://github.com/mirage/mirage-www/wiki/Pioneer-Projects#qubes-firewallvm -- Dr Thomas Leonard http://roscidus.com/blog/ GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.