Xen project Mailing List

Re: Security support status of xnf(4) and xbf(4)

From: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>

Date: Mon, 28 Mar 2022 04:13:29 +0200

Cc: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, Xen developer discussion <xen-devel@xxxxxxxxxxxxxxxxxxxx>, OpenBSD technical mailing list <tech@xxxxxxxxxxx>

Delivery-date: Mon, 28 Mar 2022 02:13:47 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On Mon, Mar 28, 2022 at 04:12:29AM +0200, Marek Marczykowski-Górecki wrote: > On Mon, Mar 28, 2022 at 12:45:24PM +1100, Damien Miller wrote: > > On Fri, 25 Mar 2022, Demi Marie Obenour wrote: > > > > > Linux’s netfront and blkfront drivers recently had a security > > > vulnerability (XSA-396) that allowed a malicious backend to potentially > > > compromise them. In follow-up audits, I found that OpenBSD’s xnf(4) > > > currently trusts the backend domain. I reported this privately to Theo > > > de Raadt, who indicated that OpenBSD does not consider this to be a > > > security concern. > > > > > > This is obviously a valid position for the OpenBSD project to take, but > > > it is surprising to some (such as myself) from the broader Xen > > > ecosystem. Standard practice in the Xen world is that bugs in frontends > > > that allow a malicious backend to cause mischief *are* considered > > > security bugs unless there is explicit documentation to the contrary. > > > As such, I believe this deserves to be noted in xnf(4) and xbf(4)’s man > > > pages. If the OpenBSD project agrees, I am willing to write a patch, > > > but I have no experience with mandoc so it might take a few tries. > > > > Hang on, what is a "malicious backend" in this context? Is it something > > other than the Xen Hypervisor? If not, then it seems not to be a useful > > attack model, as the hypervisor typically has near-complete access to > > guests' memory and CPU state. > > No, Xen supports running backends for PV devices in arbitrary domain, *Yes > not only dom0. You can read more about it at > https://wiki.xenproject.org/wiki/Driver_Domain > See also Andrew's response, Xen is way more disaggregated than KVM. > > Qubes OS makes heavy use of this feature - for example network traffic > never passes through dom0 (which has no network interfaces at all!). You > can read more about it at the link below (especially look for the > diagram at the end, if you want just a quick look): > https://www.qubes-os.org/doc/architecture/ > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab

Attachment: signature.asc
Description: PGP signature

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.