[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Support status of OpenBSD frontend drivers


  • To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
  • From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
  • Date: Fri, 25 Mar 2022 10:00:21 +0100
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IkH/P3RPwONYcKuAq9AFwoAhMwpiA/9LWO+la21VbTo=; b=Yc9ykyctkQBvvufxJ7n0P6aQkQSNMPgIubAA2Q37eF28aUTHMbdH2ujq0n/QyRGDAu+TwUV2qmdxfPpC697aOSPRHCtXVvovKse4p2QJNDSQJUE6qHdo+3BCPhVw2k5QomDDGlNL/5JgVjSmcphTIScX+2s2z89FauBuwj5Wpuk2bLat5tp4LREftKBRqpz2pGlG5yxiML6ZSMhl990TbGR4ZNKHrJ5K9X92dUQKgY6Iy35GM1jq1K9yYIzjOgJjk+GhmFkbqyRKl0w5JlKHbJUXuH8MBv62IfV9AfMlbOIq0TBZ8nCZon6IvpmwQri7XKmVzLfTmkbGuPuvBP2LUg==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iK1GwwhO/UKgn0nUAsj26HnJzHzeALcyLbdxw289KtsM+hJkeJW0I9RzGlQzqmTKBpdTSg6ruibcxMpIy/fSXjrJ8PPuk9hcrBtD8iZwPJ9nlHmaGZVrU5LiGEMC/iVLJEzxGAdNb0t4TQCJ2HX1g8fcwDsvtcXwS3OaHkLgmw7Kl8JmdB5m0uxmUPFyOFlhMXsZp+a5sKzWVTPBEC0tYU0OgndhYjFny0s3yDgGDxypDVfHYBbpmqbscEfL4SWPMpVsNmZY91sOeYmgulX3xSUssdrtR+C+ojvL2eD2OHFOkGdnXs8GPH2ok7miXKYCFeMmbuSoHgMfeMxiOCeFyw==
  • Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
  • Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>
  • Delivery-date: Fri, 25 Mar 2022 09:00:49 +0000
  • Ironport-data: A9a23:iaaNkasQ/KVgICxjOB1OmSBBWufnVGNeMUV32f8akzHdYApBsoF/q tZmKTqPOPiKYTTzeN0kPtyx909V7MPSm943Hgc++HwzFS8Q+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZhSAgk/nOHNIQMcacUsxLbVYMpBwJ1FQyw4bVvqYy2YLjW1jX5 IuryyHiEATNNwBcYzp8B52r8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBb /TC1NmEElbxpH/BPD8HfoHTKSXmSpaKVeSHZ+E/t6KK2nCurQRquko32WZ1he66RFxlkvgoo Oihu6BcRi8LH4jPmbhAWCJCAhtMOapM4eDZC0iG5Jn7I03uKxMAwt1rBUAye4YZ5vx2ESdF8 vlwxDIlN07ZwbjsmfTiF7cq1p9LwMrDZevzvll6yj7UF7A+SI3rSKTW/95Imjw3g6iiGN6AO ZdINGc2NnwsZTVdMVkOFMI4nNy5n1jkQTpmhmKPiZc4tj27IAtZj+G2bYu9lsaxbdVYmAOUq 3zL+0z9AwoGL5qPxDyd6HWui+TT2yThV+o6EbSi8/dwjV67x2oNCQYXX1+2vfm4jEGlX9tVb UcT/0IGoaU39WSqSMf8RByypHOYvh8aVMFUGud84waIopc4+C7AWDJCFGQYLoV76olmHlTGy 2NlgfvLJBlsseHIQkmH542mqTS4IHcLB187MHpsoRQ+3/Hvp4Q6jxTqR9llEbKogtCdJQwc0 wxmvwBl2exN0JdjO7GTuAme3mny/sShohsdvF2/Y46z0u9uiGdJjaSM4EOT0/tPJZ3xorKp7 CldwJj2AAzj4PiweM2xrAclQenBCxWtamS0bbtT838JrmXFF5mLJ9w43d2GDB01WvvogBewC KMphStf5YVIIFyhZrJtboS6BqwClPa8RY24C62KP4EUOfCdkTNrGgk3NCZ8OEi3zSARfVwXY 8/HIa5A815EYUiY8NZGb7hEiuJ6rszP7WjSWYr633yaPUm2PxaopUM+GALWNIgRtfrcyC2Mq oo3H5bamn13DbylCgGKoNF7ELz/BSVibXwAg5cMLbDrz8sPMDxJNsI9Npt9JN0/w/UEzLugE 7PUchYw9WcTTEbvcG2iQntidKnuTdB4q3c6NjYrJlGmxz4oZoPH0UvVX8ZfkWUPnAC78cNJc g==
  • Ironport-hdrordr: A9a23:fDbUqqoYiVMt1RjVzoiU9SAaV5vJL9V00zEX/kB9WHVpm5Oj+P xGzc526farslsssREb+OxpOMG7MBThHLpOkPMs1NCZLXTbUQqTXfpfBO7ZrQEIdBeOlNK1uZ 0QFpSWTeeAcWSS7vyKkTVQcexQueVvmZrA7Yy1rwYPcegpUdAZ0+4QMHfkLqQcfnghOXNWLu v52iIRzADQBkj/I/7LTkUtbqzmnZnmhZjmaRkJC1oO7xSPtyqh7PrfHwKD1hkTfjtTyfN6mF K12TDR1+GGibWW2xXc32jc49B/n8bg8MJKAIiphtIOIjvhpw60bMBKWqGEvhoyvOazgWxa2+ XkklMFBYBe+nnRdma6rV/E3BTh6i8n7zvYxVqRkRLY0LvEbQN/L/AEqZNScxPf5UZllsp7yr h302WQsIcSJQ/cnQzmjuK4GC1Cpw6Rmz4PgOQTh3tQXc81c7lKt7ES+0tTDdMpAD/60oY6C+ NjZfusqMq+SWnqLkwxg1MfgOBFBh8Ib1S7qwk5y4GoOgFt7T5EJxBy/r1cop8CnKhNP6Wsqd 60d5iAr4s+PfP+XZgNdNvpfvHHeFAlYSi8Rl56cm6XXZ3uBRr22uvKCfMOlaWXRKA=
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Thu, Mar 24, 2022 at 09:10:57PM -0400, Demi Marie Obenour wrote:
> On 3/24/22 18:21, Marek Marczykowski-Górecki wrote:
> > On Thu, Mar 24, 2022 at 11:49:14AM -0400, Demi Marie Obenour wrote:
> >> On 3/24/22 10:11, Roger Pau Monné wrote:
> >>> On Thu, Mar 24, 2022 at 09:56:29AM -0400, Demi Marie Obenour wrote:
> >>>> As per private discussion with Theo de Raadt, OpenBSD does not consider
> >>>> bugs in its xnf(4) that allow a backend to cause mischief to be security
> >>>> issues.  I believe the same applies to its xbf(4).  Should the support
> >>>> document be updated?
> >>>
> >>> I think that's already reflected in the support document:
> >>>
> >>> 'Status, OpenBSD: Supported, Security support external'
> >>>
> >>> Since the security support is external it's my understanding OpenBSD
> >>> security team gets to decide what's a security issue and what is not.
> >>>
> >>> That however creates differences in the level of support offered by
> >>> the different OSes, but I think that's unavoidable. It's also hard to
> >>> track the status here because those are external components in
> >>> separate code bases.
> >>>
> >>> Could be added as a mention together with the Windows note about
> >>> frontends trusting backends, but then I would fear this is likely to
> >>> get out of sync if OpenBSD ever changes their frontends to support
> >>> untrusted backends (even if not considered as a security issue).
> >>
> >> As a Qubes OS developer, I still think this is useful information and
> >> should be documented.  For instance, if I choose to add proper OpenBSD
> >> guest support to Qubes OS (as opposed to the current “you can run
> >> anything in an HVM” situation), I might decide to have OpenBSD
> >> guests use devices emulated by a Linux-based stubdomain, since the
> >> stubdomain’s netfront and blkfront drivers *are* security-supported
> >> against malicious backends.  I might also choose to have a warning in
> >> the GUI when switching the NetVM of an OpenBSD guest to something other
> >> than the empty string (meaning no network access) or the (normally
> >> fairly trusted) sys-firewall or sys-whonix qubes.
> > 
> > I'm with Roger on this - when security support is external, such
> > information in xen.git could easily become stale. If anything, there
> > could be a link to OpenBSD security status info, maintained by whoever
> > such support provides.
> 
> This ought to be on https://man.openbsd.org/xnf.4 and
> https://man.openbsd.org/xbf.4, but it is not.  Should I send a patch?

You should discuss with the OpenBSD people I think, I really have no
idea where those limitations should be listed. Introducing a man page
'Caveats' or 'Limitations' sections would seem suitable to me, but
it's ultimately up to them.

Thanks, Roger.



 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.