Xen project Mailing List

Re: Security support status of xnf(4) and xbf(4)

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Mon, 28 Mar 2022 04:12:29 +0200

Cc: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>, OpenBSD technical mailing list <tech@xxxxxxxxxxx>

Delivery-date: Mon, 28 Mar 2022 02:12:56 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 28, 2022 at 12:45:24PM +1100, Damien Miller wrote: > On Fri, 25 Mar 2022, Demi Marie Obenour wrote: > > > Linux’s netfront and blkfront drivers recently had a security > > vulnerability (XSA-396) that allowed a malicious backend to potentially > > compromise them. In follow-up audits, I found that OpenBSD’s xnf(4) > > currently trusts the backend domain. I reported this privately to Theo > > de Raadt, who indicated that OpenBSD does not consider this to be a > > security concern. > > > > This is obviously a valid position for the OpenBSD project to take, but > > it is surprising to some (such as myself) from the broader Xen > > ecosystem. Standard practice in the Xen world is that bugs in frontends > > that allow a malicious backend to cause mischief *are* considered > > security bugs unless there is explicit documentation to the contrary. > > As such, I believe this deserves to be noted in xnf(4) and xbf(4)’s man > > pages. If the OpenBSD project agrees, I am willing to write a patch, > > but I have no experience with mandoc so it might take a few tries. > > Hang on, what is a "malicious backend" in this context? Is it something > other than the Xen Hypervisor? If not, then it seems not to be a useful > attack model, as the hypervisor typically has near-complete access to > guests' memory and CPU state. No, Xen supports running backends for PV devices in arbitrary domain, not only dom0. You can read more about it at https://wiki.xenproject.org/wiki/Driver_Domain See also Andrew's response, Xen is way more disaggregated than KVM. Qubes OS makes heavy use of this feature - for example network traffic never passes through dom0 (which has no network interfaces at all!). You can read more about it at the link below (especially look for the diagram at the end, if you want just a quick look): https://www.qubes-os.org/doc/architecture/ -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.