From mboxrd@z Thu Jan 1 00:00:00 1970 From: Diego Ongaro Subject: Re: [PATCH RFC 0/5] Grant table for console, xenstore pages Date: Mon, 14 Jul 2008 16:42:28 +0100 Message-ID: <487B73E4.6020600@citrix.com> References: <4877B09E.5000909@citrix.com> <617dbaa80807121134t66e67947k95b92a9674eac251@mail.gmail.com> <487B64A0.7070004@citrix.com> <617dbaa80807140755oefd307hbd60c4551b6a076d@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <617dbaa80807140755oefd307hbd60c4551b6a076d@mail.gmail.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Derek.Murray@cl.cam.ac.uk Cc: xen-devel@lists.xensource.com List-Id: xen-devel@lists.xenproject.org Derek Murray wrote: > On Mon, Jul 14, 2008 at 3:37 PM, Diego Ongaro wrote: >> Derek Murray wrote: >>>> I'm working on moving xenstored into a dedicated, unprivileged domain. >> Have you also worked on this, Derek? I wouldn't want to keep working on >> something you've already done... > > I haven't worked on this myself, but I vaguely recall hearing of > efforts to disaggregate XenStore - I don't think any of these are > publicly available. Is the main aim of this work to enhance security > or performance? If the former, how do you plan to launch the XenStore > domain? From Dom0, or using another mechanism? Enhancing security is one aim of this work. I'm launching the XenStore domain using a small program in dom0 that just makes the necessary libxc calls. I couldn't really use xend, xm, or xenconsoled as they all depend on xenstore. (However, I ripped out the main loop of xenconsoled so that I'd be able to get at a console.) > My personal inclination is to enhance Xen so that the tools no longer > run as root (a conventional Unix-based privilege separation), which > provides a low-cost improvement in Dom0 security. This would build on > your patches to use gntdev for console and XenStore access, and use > modifications to gntdev that allow non-root users to map certain > explicitly-specified grants. This would provide a route to > disaggregating all necessarily-trusted functionality on systems that > would benefit from it (i.e. IOMMU-equipped systems). If you'd like, we > could discuss this approach further. I think that approach definitely makes sense for something like the console daemon, which I would argue should stay in dom0. On the other hand, I don't see any technical reasons why XenStore needs to stay in dom0, and I don't think it's such a high-cost improvement to move it out. -Diego