[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Custom kernel

To: "'Stephen Yum'" <steveyum@xxxxxxxxxxxxxx>, <xen-users@xxxxxxxxxxxxxxxxxxx>
From: "Steffen Heil" <lists@xxxxxxxxxxxxxxx>
Date: Sat, 2 Sep 2006 15:31:00 +0200
Delivery-date: Sat, 02 Sep 2006 06:31:18 -0700
List-id: Xen user discussion <xen-users.lists.xensource.com>
Thread-index: AcbOWWpzQBXe16cFTe6sSDb1XIoLBgAOhI4w

Hi

> Me, I don't want to use a privileged kernel for my guests. 
> That's ludicrous. The potential security problems far 
> outweighs the convenience that method may provide.

Can someone with inside knowledgte to xen comment on this?

I don't believe there is a security problem. But I don't know the sources.
I think dom0 means, that there are things compiled in, which may be used for
management, but using these functions requires access to the hypervisor,
which I expect to be only granded to that domain that boots the system
(hence dom0).
So running a dom0-compiled kernel as domU will give a litte unnessesary
load, but NO security problem.

If the content of a kernel might change the privileges a domain has would
mean that any kernel (and as such kernel-mode module) running in a domU
might take control of the system. I don't beliebe that...

Regards,
  Steffen

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

References:
- Re: [Xen-users] Custom kernel
  - From: Stephen Yum

Prev by Date: RE: [Xen-users] Kernel drivers on domU
Next by Date: [Xen-users] cdrom cannot be found in xen0
Previous by thread: Re: [Xen-users] Custom kernel
Next by thread: Re: [Xen-users] Custom kernel
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.