Xen project Mailing List

Re: [MirageOS-devel] Mirage OS and Qubes OS integration

From: Thomas Leonard <talex5@xxxxxxxxx>

Date: Sat, 14 May 2016 11:47:27 +0100

Cc: Anil Madhavapeddy <anil@xxxxxxxxxx>, Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, "mirageos-devel@xxxxxxxxxxxxxxxxxxxx" <mirageos-devel@xxxxxxxxxxxxxxxxxxxx>, qubes-devel <qubes-devel@xxxxxxxxxxxxxxxx>

Delivery-date: Sat, 14 May 2016 10:47:46 +0000

List-id: Developer list for MirageOS <mirageos-devel.lists.xenproject.org>

I haven't been doing much to it recently, except switching dependencies to use upstream versions as they get released. The only one still pinned to a Git commit is mirage-nat (which I think is waiting for ICMP NAT support - I believe Mindy is currently refactoring the tcpip library, which might allow sharing its ICMP support with mirage-nat). I've been running mirage-firewall fine for a couple of months now on my laptop with 20 MB RAM allocated to it (the last known out-of-memory bug was fixed 27th Feb). I've just updated it today to support OCaml 4.03, which should bring reproducible builds :-) (requires mirage-qubes >= 0.3). For some reason, the binary size has increased from about 5 MB to about 10 MB (and it no longer runs with 20 MB RAM). I'm not sure what caused that - probably some extra dependency getting pulled in somehow. On 13 May 2016 at 20:28, Cyril LEVIS <levis.cyril@xxxxxxxxx> wrote: > Hi, > > What about mirage firewall integration? Leonard is working hard ^^ > https://github.com/talex5/mirage-qubes > > Le lundi 8 février 2016 16:24:04 UTC+1, Anil Madhavapeddy a écrit : >> >> On 7 Feb 2016, at 22:33, Thomas Leonard <tal...@xxxxxxxxx> wrote: >> > >> >> How is that related to Mirage OS? It can be distributed/installed as >> >> minimal root.img, containing just /boot directory with: >> >> - a Mirage OS binary >> >> - grub2 configuration starting it >> >> >> >> Why not installing it directly as a kernel (also using some new qrexec >> >> service)? Two reasons: >> >> - VM kernel loaded from dom0 filesystem is parsed by a toolstack >> >> running there. While the attack surface is quite small here >> >> (probably only uncompressing code), it still exists >> >> This is indeed how we boot on EC2 at the moment (which uses pv-grub also). >> >> https://github.com/mirage/mirage/blob/master/scripts/ec2.sh >> >> A Mirage Xen unikernel is wrapped in a minimal image that includes a >> grub.conf that points to it. >> >> Anil -- Dr Thomas Leonard http://roscidus.com/blog/ GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.