How to secret Dom0 against DomU .

How to secret Dom0 against DomU .

[Daniel Schwager]

Hi,

are there some known issues using kvm-84 
	- to break in into the Dom0
	- to corrupt the Dom0
	- to ... Dom0

Are there some thinks I have to configure in Dom0
to safe Dom0 against DomU's ?

My kvm-call looks like this:

30743 ?        Sl    85:36 /usr/kvm/bin/qemu-system-x86_64 -S -M pc -m
500 -smp 1 -name solidcam -uuid 85e73643-0f27-b995-8ecb-9042ea044dc5
-monitor pty -pidfile /var/run/libvirt/qemu//solidcam.pid -boot c -drive
file=/srv/winxp127.dsk,if=ide,index=0,boot=on -net
nic,macaddr=ae:de:49:00:40:0e,vlan=0,model=e1000 -net
tap,ifname=vif100,script=/opt/virtcontroller/bin/qemu-ifup,vlan=0
-serial pty -parallel none -usb -usbdevice tablet -vnc 0.0.0.0:0

I want to publish windows XP DomU's to (technical affine) people's - I
do not want
that they can hurt/hack our base-system.

regards
Danny

Re: How to secret Dom0 against DomU .

[Joerg Roedel]

On Fri, Feb 20, 2009 at 05:26:22PM +0100, Daniel Schwager wrote:
> Hi,
> 
> are there some known issues using kvm-84 
> 	- to break in into the Dom0
> 	- to corrupt the Dom0
> 	- to ... Dom0
> 
> Are there some thinks I have to configure in Dom0
> to safe Dom0 against DomU's ?

This is absolutly no risk in KVM just because there is no Dom0. I guess
you mean if there is any way to break out of a guest and hack the host.
As far as I know there are no known security issue.

> 
> My kvm-call looks like this:
> 
> 30743 ?        Sl    85:36 /usr/kvm/bin/qemu-system-x86_64 -S -M pc -m
> 500 -smp 1 -name solidcam -uuid 85e73643-0f27-b995-8ecb-9042ea044dc5
> -monitor pty -pidfile /var/run/libvirt/qemu//solidcam.pid -boot c -drive
> file=/srv/winxp127.dsk,if=ide,index=0,boot=on -net
> nic,macaddr=ae:de:49:00:40:0e,vlan=0,model=e1000 -net
> tap,ifname=vif100,script=/opt/virtcontroller/bin/qemu-ifup,vlan=0
> -serial pty -parallel none -usb -usbdevice tablet -vnc 0.0.0.0:0
> 
> I want to publish windows XP DomU's to (technical affine) people's - I
> do not want
> that they can hurt/hack our base-system.
> 
> regards
> Danny
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to secret Dom0 against DomU .

[Tomasz Chmielewski]

Joerg Roedel schrieb:
> On Fri, Feb 20, 2009 at 05:26:22PM +0100, Daniel Schwager wrote:
>> Hi,
>>
>> are there some known issues using kvm-84 
>> 	- to break in into the Dom0
>> 	- to corrupt the Dom0
>> 	- to ... Dom0
>>
>> Are there some thinks I have to configure in Dom0
>> to safe Dom0 against DomU's ?
> 
> This is absolutly no risk in KVM just because there is no Dom0. I guess
> you mean if there is any way to break out of a guest and hack the host.
> As far as I know there are no known security issue.

He may also want to prevent guest from accessing the host via network.

Place the guest in a different VLAN, attach to a different bridge etc.


-- 
Tomasz Chmielewski
http://wpkg.org

RE: How to secret Dom0 against DomU .

[Daniel Schwager]

> > This is absolutly no risk in KVM just because there is no Dom0. I
guess
> > you mean if there is any way to break out of a guest and hack the
host.
> > As far as I know there are no known security issue.
> 
> He may also want to prevent guest from accessing the host via network.
> 
> Place the guest in a different VLAN, attach to a different bridge etc.

We did this with bridging and VLAN (-: 

Thanks for answering. I will give you a note and access, if the public
access to VM's
running with KVM-84 works. 

regards
Danny