[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MirageOS-devel] MirageOS AppVMs on Qubes



On Mon, Nov 23, 2015 at 11:15 AM, Thomas Leonard <talex5@xxxxxxxxx> wrote:
QubesOS is a security-focused desktop OS that runs multiple isolated
VMs under Xen. Typically, these run Linux. For example, I use a Fedora
VM for email and a Debian VM for development.

There is discussion on the qubes mailing list at the moment about
using unikernel VMs:

 https://groups.google.com/forum/#!topic/qubes-users/h03-1hiNMCc

I've written a simple test unikernel [1] that supports Qubes' qrexec
protocol. This allows other domains to send command requests to the
VM. If approved by the dom0 policy, a two-way channel (stdin/stdout)
is established between the requesting VM and the unikernel. qrexec is
built on top of vchan, which was easy to support thanks to David
Scott's ocaml-vchan library.

A small nitpick: although I've written a lot of vchan code recently, the original fully-working version was by Vincent Bernadoff (vbmithr on github)

Apart from that, awesome -- makes me want to buy a PC laptop and install Qubes :-)

Cheers,
Dave
Â

I've also written a tool [2] to let you upload unikernels built in an
AppVM to dom0 and run them easily.

For example:

$ mirage configure --xen
$ make
$ test-mirage mir-qubes-test.xen
Waiting for 'Ready'... OK
Uploading 'mir-qubes-test.xen' (4187256 bytes)
Waiting for 'Booting'... OK
--> Creating volatile image: /var/lib/qubes/appvms/mirage-test/volatile.img...
--> Loading the VM (type = AppVM)...
--> Starting Qubes DB...
--> Setting Qubes DB info for the VM...
--> Updating firewall rules...
--> Starting the VM...
--> Starting the qrexec daemon...
Waiting for VM's qrexec agent.connected
MirageOS booting...
Initialising timer interface
Initialising console ... done.
info: Starting qrexec agent; waiting for client...
info: Got connection
info: Handshake done; client version is 2

It currently offers "echo" and "quit" services. e.g. from dom0:

[tal@dom0 bin]$ qvm-run -p --nogui mirage-test echo
Hi user! Please enter a string:
Hello
You wrote "Hello". Bye.

If anyone is interested in helping out, let me know! I've added a
pioneer project [3] to replace their existing FirewallVM with a Mirage
unikernel, as one possibility. We also need basic QubesDB support and
some kind of GUId so that Qubes will believe the VM has started (it
assumes every VM provides a GUI currently).


[1] https://github.com/talex5/qubes-test-mirage
[2] https://github.com/talex5/mirage-qubes
[3] https://github.com/mirage/mirage-www/wiki/Pioneer-Projects#qubes-firewallvm


--
Dr Thomas Leonard    http://roscidus.com/blog/
GPG: DA98 25AE CAD0 8975 7CDAÂ BD8E 0713 3F96 CA74 D8BA

_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel



--
Dave Scott
_______________________________________________
MirageOS-devel mailing list
MirageOS-devel@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.