[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Support status of OpenBSD frontend drivers
- To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>
- From: Roger Pau Monné <roger.pau@xxxxxxxxxx>
- Date: Fri, 25 Mar 2022 10:00:21 +0100
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=citrix.com; dmarc=pass action=none header.from=citrix.com; dkim=pass header.d=citrix.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=IkH/P3RPwONYcKuAq9AFwoAhMwpiA/9LWO+la21VbTo=; b=Yc9ykyctkQBvvufxJ7n0P6aQkQSNMPgIubAA2Q37eF28aUTHMbdH2ujq0n/QyRGDAu+TwUV2qmdxfPpC697aOSPRHCtXVvovKse4p2QJNDSQJUE6qHdo+3BCPhVw2k5QomDDGlNL/5JgVjSmcphTIScX+2s2z89FauBuwj5Wpuk2bLat5tp4LREftKBRqpz2pGlG5yxiML6ZSMhl990TbGR4ZNKHrJ5K9X92dUQKgY6Iy35GM1jq1K9yYIzjOgJjk+GhmFkbqyRKl0w5JlKHbJUXuH8MBv62IfV9AfMlbOIq0TBZ8nCZon6IvpmwQri7XKmVzLfTmkbGuPuvBP2LUg==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iK1GwwhO/UKgn0nUAsj26HnJzHzeALcyLbdxw289KtsM+hJkeJW0I9RzGlQzqmTKBpdTSg6ruibcxMpIy/fSXjrJ8PPuk9hcrBtD8iZwPJ9nlHmaGZVrU5LiGEMC/iVLJEzxGAdNb0t4TQCJ2HX1g8fcwDsvtcXwS3OaHkLgmw7Kl8JmdB5m0uxmUPFyOFlhMXsZp+a5sKzWVTPBEC0tYU0OgndhYjFny0s3yDgGDxypDVfHYBbpmqbscEfL4SWPMpVsNmZY91sOeYmgulX3xSUssdrtR+C+ojvL2eD2OHFOkGdnXs8GPH2ok7miXKYCFeMmbuSoHgMfeMxiOCeFyw==
- Authentication-results: esa5.hc3370-68.iphmx.com; dkim=pass (signature verified) header.i=@citrix.onmicrosoft.com
- Cc: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>
- Delivery-date: Fri, 25 Mar 2022 09:00:49 +0000
- Ironport-data: A9a23:iaaNkasQ/KVgICxjOB1OmSBBWufnVGNeMUV32f8akzHdYApBsoF/q tZmKTqPOPiKYTTzeN0kPtyx909V7MPSm943Hgc++HwzFS8Q+JbJXdiXEBz9bniYRiHhoOOLz Cm8hv3odp1coqr0/0/1WlTZhSAgk/nOHNIQMcacUsxLbVYMpBwJ1FQyw4bVvqYy2YLjW1jX5 IuryyHiEATNNwBcYzp8B52r8HuDjNyq0N/PlgVjDRzjlAa2e0g9VPrzF4noR5fLatA88tqBb /TC1NmEElbxpH/BPD8HfoHTKSXmSpaKVeSHZ+E/t6KK2nCurQRquko32WZ1he66RFxlkvgoo Oihu6BcRi8LH4jPmbhAWCJCAhtMOapM4eDZC0iG5Jn7I03uKxMAwt1rBUAye4YZ5vx2ESdF8 vlwxDIlN07ZwbjsmfTiF7cq1p9LwMrDZevzvll6yj7UF7A+SI3rSKTW/95Imjw3g6iiGN6AO ZdINGc2NnwsZTVdMVkOFMI4nNy5n1jkQTpmhmKPiZc4tj27IAtZj+G2bYu9lsaxbdVYmAOUq 3zL+0z9AwoGL5qPxDyd6HWui+TT2yThV+o6EbSi8/dwjV67x2oNCQYXX1+2vfm4jEGlX9tVb UcT/0IGoaU39WSqSMf8RByypHOYvh8aVMFUGud84waIopc4+C7AWDJCFGQYLoV76olmHlTGy 2NlgfvLJBlsseHIQkmH542mqTS4IHcLB187MHpsoRQ+3/Hvp4Q6jxTqR9llEbKogtCdJQwc0 wxmvwBl2exN0JdjO7GTuAme3mny/sShohsdvF2/Y46z0u9uiGdJjaSM4EOT0/tPJZ3xorKp7 CldwJj2AAzj4PiweM2xrAclQenBCxWtamS0bbtT838JrmXFF5mLJ9w43d2GDB01WvvogBewC KMphStf5YVIIFyhZrJtboS6BqwClPa8RY24C62KP4EUOfCdkTNrGgk3NCZ8OEi3zSARfVwXY 8/HIa5A815EYUiY8NZGb7hEiuJ6rszP7WjSWYr633yaPUm2PxaopUM+GALWNIgRtfrcyC2Mq oo3H5bamn13DbylCgGKoNF7ELz/BSVibXwAg5cMLbDrz8sPMDxJNsI9Npt9JN0/w/UEzLugE 7PUchYw9WcTTEbvcG2iQntidKnuTdB4q3c6NjYrJlGmxz4oZoPH0UvVX8ZfkWUPnAC78cNJc g==
- Ironport-hdrordr: A9a23:fDbUqqoYiVMt1RjVzoiU9SAaV5vJL9V00zEX/kB9WHVpm5Oj+P xGzc526farslsssREb+OxpOMG7MBThHLpOkPMs1NCZLXTbUQqTXfpfBO7ZrQEIdBeOlNK1uZ 0QFpSWTeeAcWSS7vyKkTVQcexQueVvmZrA7Yy1rwYPcegpUdAZ0+4QMHfkLqQcfnghOXNWLu v52iIRzADQBkj/I/7LTkUtbqzmnZnmhZjmaRkJC1oO7xSPtyqh7PrfHwKD1hkTfjtTyfN6mF K12TDR1+GGibWW2xXc32jc49B/n8bg8MJKAIiphtIOIjvhpw60bMBKWqGEvhoyvOazgWxa2+ XkklMFBYBe+nnRdma6rV/E3BTh6i8n7zvYxVqRkRLY0LvEbQN/L/AEqZNScxPf5UZllsp7yr h302WQsIcSJQ/cnQzmjuK4GC1Cpw6Rmz4PgOQTh3tQXc81c7lKt7ES+0tTDdMpAD/60oY6C+ NjZfusqMq+SWnqLkwxg1MfgOBFBh8Ib1S7qwk5y4GoOgFt7T5EJxBy/r1cop8CnKhNP6Wsqd 60d5iAr4s+PfP+XZgNdNvpfvHHeFAlYSi8Rl56cm6XXZ3uBRr22uvKCfMOlaWXRKA=
- List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On Thu, Mar 24, 2022 at 09:10:57PM -0400, Demi Marie Obenour wrote:
> On 3/24/22 18:21, Marek Marczykowski-Górecki wrote:
> > On Thu, Mar 24, 2022 at 11:49:14AM -0400, Demi Marie Obenour wrote:
> >> On 3/24/22 10:11, Roger Pau Monné wrote:
> >>> On Thu, Mar 24, 2022 at 09:56:29AM -0400, Demi Marie Obenour wrote:
> >>>> As per private discussion with Theo de Raadt, OpenBSD does not consider
> >>>> bugs in its xnf(4) that allow a backend to cause mischief to be security
> >>>> issues. I believe the same applies to its xbf(4). Should the support
> >>>> document be updated?
> >>>
> >>> I think that's already reflected in the support document:
> >>>
> >>> 'Status, OpenBSD: Supported, Security support external'
> >>>
> >>> Since the security support is external it's my understanding OpenBSD
> >>> security team gets to decide what's a security issue and what is not.
> >>>
> >>> That however creates differences in the level of support offered by
> >>> the different OSes, but I think that's unavoidable. It's also hard to
> >>> track the status here because those are external components in
> >>> separate code bases.
> >>>
> >>> Could be added as a mention together with the Windows note about
> >>> frontends trusting backends, but then I would fear this is likely to
> >>> get out of sync if OpenBSD ever changes their frontends to support
> >>> untrusted backends (even if not considered as a security issue).
> >>
> >> As a Qubes OS developer, I still think this is useful information and
> >> should be documented. For instance, if I choose to add proper OpenBSD
> >> guest support to Qubes OS (as opposed to the current “you can run
> >> anything in an HVM” situation), I might decide to have OpenBSD
> >> guests use devices emulated by a Linux-based stubdomain, since the
> >> stubdomain’s netfront and blkfront drivers *are* security-supported
> >> against malicious backends. I might also choose to have a warning in
> >> the GUI when switching the NetVM of an OpenBSD guest to something other
> >> than the empty string (meaning no network access) or the (normally
> >> fairly trusted) sys-firewall or sys-whonix qubes.
> >
> > I'm with Roger on this - when security support is external, such
> > information in xen.git could easily become stale. If anything, there
> > could be a link to OpenBSD security status info, maintained by whoever
> > such support provides.
>
> This ought to be on https://man.openbsd.org/xnf.4 and
> https://man.openbsd.org/xbf.4, but it is not. Should I send a patch?
You should discuss with the OpenBSD people I think, I really have no
idea where those limitations should be listed. Introducing a man page
'Caveats' or 'Limitations' sections would seem suitable to me, but
it's ultimately up to them.
Thanks, Roger.
|