Since PVH does not yet support PCI passthrough, are there other
recommended SP3 mitigations for 64-bit PV driver domains?
Lock them down? Device driver domains, even if not fully trusted, are
going to be part of the system and therefore at least semi-TCB.
If an attacker can't run code in your driver domain (and be aware of
things like server side processing, JIT of SQL, etc as "running code"
methods), they aren't in a position to mount an SP3 attack.
Well, the main reason why driver domains are used in Qubes OS is
assumption that it is not possible to really "lock them down", given
full OS (Linux) running inside and being exposed to the outside world
(having network adapters, USB controllers etc). There are so many
components running them, that for sure some of them are buggy. Just some
examples exploitable in the near past: DHCP client, Bluetooth stack.
If we'd believe that handling those devices exposed to the outside world
is "safe", we wouldn't use driver domains at all...
Indeed, but they are in a better position than arbitrary VMs, becauseusers can't just log into them and start running code. (I really hope...)
Regards Lars |
