[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages

To: Derek.Murray@xxxxxxxxxxxx
From: Diego Ongaro <diego.ongaro@xxxxxxxxxx>
Date: Mon, 14 Jul 2008 16:42:28 +0100
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 14 Jul 2008 08:42:54 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Derek Murray wrote:
> On Mon, Jul 14, 2008 at 3:37 PM, Diego Ongaro <diego.ongaro@xxxxxxxxxx> wrote:
>> Derek Murray wrote:
>>>> I'm working on moving xenstored into a dedicated, unprivileged domain.
>> Have you also worked on this, Derek? I wouldn't want to keep working on
>> something you've already done...
> 
> I haven't worked on this myself, but I vaguely recall hearing of
> efforts to disaggregate XenStore - I don't think any of these are
> publicly available. Is the main aim of this work to enhance security
> or performance? If the former, how do you plan to launch the XenStore
> domain? From Dom0, or using another mechanism?

Enhancing security is one aim of this work.

I'm launching the XenStore domain using a small program in dom0 that
just makes the necessary libxc calls. I couldn't really use xend, xm, or
xenconsoled as they all depend on xenstore. (However, I ripped out the
main loop of xenconsoled so that I'd be able to get at a console.)

> My personal inclination is to enhance Xen so that the tools no longer
> run as root (a conventional Unix-based privilege separation), which
> provides a low-cost improvement in Dom0 security. This would build on
> your patches to use gntdev for console and XenStore access, and use
> modifications to gntdev that allow non-root users to map certain
> explicitly-specified grants. This would provide a route to
> disaggregating all necessarily-trusted functionality on systems that
> would benefit from it (i.e. IOMMU-equipped systems). If you'd like, we
> could discuss this approach further.

I think that approach definitely makes sense for something like the
console daemon, which I would argue should stay in dom0. On the other
hand, I don't see any technical reasons why XenStore needs to stay in
dom0, and I don't think it's such a high-cost improvement to move it
out.

-Diego

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Follow-Ups:
- RE: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages
  - From: Cihula, Joseph

References:
- [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages
  - From: Diego Ongaro
- Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages
  - From: Derek Murray
- Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages
  - From: Diego Ongaro
- Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages
  - From: Derek Murray

Prev by Date: Re: [Xen-devel] [PATCH] ioemu: drop shadow vram
Next by Date: RE: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages
Previous by thread: Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages
Next by thread: RE: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.