WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstore pages

Derek Murray wrote:
> On Mon, Jul 14, 2008 at 3:37 PM, Diego Ongaro <diego.ongaro@xxxxxxxxxx> wrote:
>> Derek Murray wrote:
>>>> I'm working on moving xenstored into a dedicated, unprivileged domain.
>> Have you also worked on this, Derek? I wouldn't want to keep working on
>> something you've already done...
> 
> I haven't worked on this myself, but I vaguely recall hearing of
> efforts to disaggregate XenStore - I don't think any of these are
> publicly available. Is the main aim of this work to enhance security
> or performance? If the former, how do you plan to launch the XenStore
> domain? From Dom0, or using another mechanism?

Enhancing security is one aim of this work.

I'm launching the XenStore domain using a small program in dom0 that
just makes the necessary libxc calls. I couldn't really use xend, xm, or
xenconsoled as they all depend on xenstore. (However, I ripped out the
main loop of xenconsoled so that I'd be able to get at a console.)

> My personal inclination is to enhance Xen so that the tools no longer
> run as root (a conventional Unix-based privilege separation), which
> provides a low-cost improvement in Dom0 security. This would build on
> your patches to use gntdev for console and XenStore access, and use
> modifications to gntdev that allow non-root users to map certain
> explicitly-specified grants. This would provide a route to
> disaggregating all necessarily-trusted functionality on systems that
> would benefit from it (i.e. IOMMU-equipped systems). If you'd like, we
> could discuss this approach further.

I think that approach definitely makes sense for something like the
console daemon, which I would argue should stay in dom0. On the other
hand, I don't see any technical reasons why XenStore needs to stay in
dom0, and I don't think it's such a high-cost improvement to move it
out.

-Diego

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel