WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages

To: "Diego Ongaro" <diego.ongaro@xxxxxxxxxx>, <Derek.Murray@xxxxxxxxxxxx>
Subject: RE: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages
From: "Cihula, Joseph" <joseph.cihula@xxxxxxxxx>
Date: Mon, 14 Jul 2008 09:50:12 -0700
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 14 Jul 2008 09:50:50 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <487B73E4.6020600@xxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4877B09E.5000909@xxxxxxxxxx> <617dbaa80807121134t66e67947k95b92a9674eac251@xxxxxxxxxxxxxx> <487B64A0.7070004@xxxxxxxxxx><617dbaa80807140755oefd307hbd60c4551b6a076d@xxxxxxxxxxxxxx> <487B73E4.6020600@xxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcjlyFUn3ayW625eRFuYjW75A9NLuQACOTvQ
Thread-topic: [Xen-devel] [PATCH RFC 0/5] Grant table for console, xenstorepages
This has been looked at by others as well (I had a very similar set of
internal patches that created a pre-dom0 domain but for running the vTPM
Manager).  The trickiest part of deciding where and when to launch
xenstore is that it is required for the paravirt drivers to communicate.
So if you have any front ends, then xenstore needs to be running before
they can connect to their back ends.

Joe

-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Diego Ongaro
Sent: Monday, July 14, 2008 8:42 AM
To: Derek.Murray@xxxxxxxxxxxx
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] [PATCH RFC 0/5] Grant table for console,
xenstorepages

Derek Murray wrote:
> On Mon, Jul 14, 2008 at 3:37 PM, Diego Ongaro
<diego.ongaro@xxxxxxxxxx> wrote:
>> Derek Murray wrote:
>>>> I'm working on moving xenstored into a dedicated, unprivileged
domain.
>> Have you also worked on this, Derek? I wouldn't want to keep working
on
>> something you've already done...
> 
> I haven't worked on this myself, but I vaguely recall hearing of
> efforts to disaggregate XenStore - I don't think any of these are
> publicly available. Is the main aim of this work to enhance security
> or performance? If the former, how do you plan to launch the XenStore
> domain? From Dom0, or using another mechanism?

Enhancing security is one aim of this work.

I'm launching the XenStore domain using a small program in dom0 that
just makes the necessary libxc calls. I couldn't really use xend, xm, or
xenconsoled as they all depend on xenstore. (However, I ripped out the
main loop of xenconsoled so that I'd be able to get at a console.)

> My personal inclination is to enhance Xen so that the tools no longer
> run as root (a conventional Unix-based privilege separation), which
> provides a low-cost improvement in Dom0 security. This would build on
> your patches to use gntdev for console and XenStore access, and use
> modifications to gntdev that allow non-root users to map certain
> explicitly-specified grants. This would provide a route to
> disaggregating all necessarily-trusted functionality on systems that
> would benefit from it (i.e. IOMMU-equipped systems). If you'd like, we
> could discuss this approach further.

I think that approach definitely makes sense for something like the
console daemon, which I would argue should stay in dom0. On the other
hand, I don't see any technical reasons why XenStore needs to stay in
dom0, and I don't think it's such a high-cost improvement to move it
out.

-Diego

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel