Xen project Mailing List

RE: [Xen-devel] protecting xen startup

To: "Luke Kenneth Casson Leighton" <lkcl@xxxxxxxx>

From: "Neugebauer, Rolf" <rolf.neugebauer@xxxxxxxxx>

Date: Wed, 24 Nov 2004 11:48:15 -0000

Cc: "Mark Williamson" <maw48@xxxxxxxxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxxx>, "Neugebauer, Rolf" <rolf.neugebauer@xxxxxxxxx>

Delivery-date: Wed, 24 Nov 2004 11:56:24 +0000

List-id: List for Xen developers <xen-devel.lists.sourceforge.net>

Thread-index: AcTSEoy3Y+7Cz4upRHeCP2cv27si7QAB7Gwg

Thread-topic: [Xen-devel] protecting xen startup

> -----Original Message----- > From: Luke Kenneth Casson Leighton [mailto:lkcl@xxxxxxxx] > Sent: 24 November 2004 10:53 > To: Neugebauer, Rolf > Cc: Mark Williamson; xen-devel@xxxxxxxxxxxxxxxxxxxxx > Subject: Re: [Xen-devel] protecting xen startup > > On Tue, Nov 23, 2004 at 11:58:51PM -0000, Neugebauer, Rolf wrote: > > > From a security point of view we probably should/need to restructure the > > current xend significantly into at least two components: a small name > > server and a daemon/tool which knows about assignment of higher level > > devices to domains etc. Note that this will also require changes to > > backend and frontends etc, ie, it's non-trivial. > > hi rolf, > > i'm not familiar enough with the terminology that you are using to > understand fully what you are saying. > > are you hinting at the allocation of device drivers across domains? > > e.g. having one domain do the hardware side and securely > proxy-forwarding the access to that device over to another domain? We run native device drivers in a privileged VM and and in order to share physical devices amongst VMs this VM then exports these to other VMs via idealized/virtual interfaces. The VM with the native device driver exports devices via a backend driver and the VMs using a virtual device run a small stub frontend device driver. The communication between BE and FW is done via shared memory pages and access to these is synchronized via event channels. > for example /dev/console in one domain being proxy-forwarded into > another domain for it to be accessible as /dev/xendomainconsole0, > something like that? > > because if so that _would_ be great because it'd be a trivial job in > selinux to set up an selinux permission to access the device inode > at the "receiving" end so to speak. Yes, in principle you should be able to do that (and we have been thinking along similar lines). However, at the moment the linux kernel in the exporting VM (BE) does not know anything about other VMs so as far as my understanding goes you can't apply SELinux policies to it as you don't have a subject. Rolf > > ... but i have to point out that i'm more concerned about leveraging > what is available - right now - than i am about future versions. > > l. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/xen-devel

Follow-Ups:

Re: [Xen-devel] protecting xen startup
- From: Luke Kenneth Casson Leighton

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.