Re: [PATCH][ACM] kernel enforcement of vbd policies via blkback driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Harry Butterworth <harry@hebutterworth.freeserve.co.uk>
To: Reiner Sailer <sailer@us.ibm.com>
Cc: Andrew Warfield <andrew.warfield@cl.cam.ac.uk>,
	xen-devel@lists.xensource.com, xense-devel@lists.xensource.com,
	Bryan D Payne <bdpayne@us.ibm.com>,
	ncmike@us.ibm.com
Subject: Re: [PATCH][ACM] kernel enforcement of	vbd	policies	via blkback driver
Date: Thu, 27 Jul 2006 18:43:25 +0100	[thread overview]
Message-ID: <1154022205.7906.50.camel@localhost.localdomain> (raw)
In-Reply-To: <OF5710E510.2A517A50-ON852571B8.0060996E-852571B8.0060EE56@us.ibm.com>

On Thu, 2006-07-27 at 13:38 -0400, Reiner Sailer wrote:
> 
> Harry Butterworth <harry@hebutterworth.freeserve.co.uk> wrote on
> 07/27/2006 01:06:50 PM:
> 
> > On Thu, 2006-07-27 at 12:58 -0400, Reiner Sailer wrote:
> > > 
> > > 
> > > Harry Butterworth <harry@hebutterworth.freeserve.co.uk> wrote on
> > > 07/27/2006 12:36:43 PM:
> > > 
> > > > On Thu, 2006-07-27 at 17:26 +0100, Harry Butterworth wrote:
> > > > 
> > > > > untrusted driver domain <-> trusted encryption domain <->
> > > FE-domain
> > > > >                            hypervisor
> > > > >                    trusted access control domain
> > > > 
> > > > Another argument in favour of this kind of approach is that if
> your
> > > BE
> > > > is something like a fibrechannel driver for a SAN, there isn't
> > > actually
> > > > any security on the SAN side of it so any guarantees provided by
> the
> > > > driver domain are pretty much worthless.
> > > > 
> > > > Harry.
> > > > 
> > > 
> > > We are talking about scalable, secure, and efficient local device
> > > virtualization.  
> > 
> > Even with local devices there is no security on the device side of
> the
> > device driver.  Consider the case of a locally attached sata drive
> > containing 2 partitions, one for each of two domains.  It's not
> unheard
> > of for disk drives to write the data in the wrong place.  Or read
> and
> > return the wrong block.  Happens all the time.
> > 
> 
> If you can't trust your hardware, then you cant trust a domain built
> on top of it. There is no need to convince me. If this is not a
> "fixable" problem, then such devices cannot be assumed trused.  
> 
> Either they are not shared or the risk must be mitigated (e.g., as you
> suggested by encryption/signing and another trusted proxy). 
> 
> Is this undeterministic/uncontrollable behavior considered "normal"
> operation? 

It's obviously unusual but we do see it in real life, for example, when
we test 3rd party storage controllers.

> 
> Thanks 
> Reiner

next prev parent reply	other threads:[~2006-07-27 17:43 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <OF95F83550.BF987DA4-ON852571B5.006BF6EE-852571B5.006EC053@LocalDomain>
2006-07-25  0:21 ` [PATCH][ACM] kernel enforcement of vbd policies via blkback driver Reiner Sailer
2006-07-25  9:53   ` Keir Fraser
2006-07-25 17:45     ` Bryan D Payne
2006-07-25 18:48       ` Steven Hand
2006-07-26 13:25     ` Mike D. Day
2006-07-26 13:49       ` Keir Fraser
2006-07-26 15:47         ` Reiner Sailer
2006-07-26 17:46         ` Mike D. Day
2006-07-26 18:07           ` Keir Fraser
2006-07-26 18:24             ` Mike D. Day
2006-07-26 18:50               ` Andrew Warfield
2006-07-26 21:21                 ` Reiner Sailer
2006-07-26 22:23                 ` Harry Butterworth
2006-07-26 22:51                   ` Reiner Sailer
2006-07-27  9:41                     ` Harry Butterworth
2006-07-26 23:04                   ` Andrew Warfield
2006-07-27  1:40                     ` Harry Butterworth
2006-07-27 15:37                       ` Reiner Sailer
2006-07-27 16:26                         ` Harry Butterworth
2006-07-27 16:36                           ` Harry Butterworth
2006-07-27 16:58                             ` Reiner Sailer
2006-07-27 17:06                               ` Harry Butterworth
2006-07-27 17:19                                 ` Harry Butterworth
2006-07-27 17:53                                   ` Reiner Sailer
2006-07-27 18:38                                     ` Harry Butterworth
2006-07-27 17:38                                 ` Reiner Sailer
2006-07-27 17:43                                   ` Harry Butterworth [this message]
2006-07-24 16:23 Bryan D. Payne
2006-07-24 17:28 ` Keir Fraser
2006-07-24 20:09   ` Bryan D Payne

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1154022205.7906.50.camel@localhost.localdomain \
    --to=harry@hebutterworth.freeserve.co.uk \
    --cc=andrew.warfield@cl.cam.ac.uk \
    --cc=bdpayne@us.ibm.com \
    --cc=ncmike@us.ibm.com \
    --cc=sailer@us.ibm.com \
    --cc=xen-devel@lists.xensource.com \
    --cc=xense-devel@lists.xensource.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.