From mboxrd@z Thu Jan  1 00:00:00 1970
From: Anthony Liguori <anthony@codemonkey.ws>
Subject: Re: Secure KVM
Date: Mon, 07 Nov 2011 11:43:45 -0600
Message-ID: <4EB818D1.70802@codemonkey.ws>
References: <1320612020.3299.22.camel@lappy>	<4EB7A45D.1030600@redhat.com>	<CA+1xoqdXO8-=aPEVOmZjNRwGY3yctFjyk0DnPAbd6+1aTWM8Zw@mail.gmail.com> <CAJSP0QXuawRbueXkGNxrAarkhFNQTzrYrbxEGAw2XkJ7VFx6qg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Sasha Levin <levinsasha928@gmail.com>, Avi Kivity <avi@redhat.com>,
	Andrea Arcangeli <aarcange@redhat.com>,
	Marcelo Tosatti <mtosatti@redhat.com>,
	Ingo Molnar <mingo@elte.hu>, Pekka Enberg <penberg@kernel.org>,
	Cyrill Gorcunov <gorcunov@gmail.com>,
	Asias He <asias.hejun@gmail.com>,
	Rusty Russell <rusty@rustcorp.com.au>,
	"Michael S. Tsirkin" <mst@redhat.com>, kvm <kvm@vger.kernel.org>
To: Stefan Hajnoczi <stefanha@gmail.com>
Return-path: <kvm-owner@vger.kernel.org>
Received: from mail-qw0-f46.google.com ([209.85.216.46]:61976 "EHLO
	mail-qw0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932783Ab1KGRnt (ORCPT <rfc822;kvm@vger.kernel.org>);
	Mon, 7 Nov 2011 12:43:49 -0500
Received: by qao25 with SMTP id 25so841449qao.19
        for <kvm@vger.kernel.org>; Mon, 07 Nov 2011 09:43:49 -0800 (PST)
In-Reply-To: <CAJSP0QXuawRbueXkGNxrAarkhFNQTzrYrbxEGAw2XkJ7VFx6qg@mail.gmail.com>
Sender: kvm-owner@vger.kernel.org
List-ID: <kvm.vger.kernel.org>

On 11/07/2011 05:27 AM, Stefan Hajnoczi wrote:
> On Mon, Nov 7, 2011 at 10:17 AM, Sasha Levin<levinsasha928@gmail.com>  wrote:
>
> This is a really interesting topic - something that we've discussed in
> QEMU as well.
>
> Doing it with seccomp is really hard since that only allows read(2),
> write(2), exit(2), and sigreturn(2).  I think using seccomp means that
> host devices (e.g. actual network and block device I/O) are
> implemented outside the seccomp because it requires other syscalls.
> Then the seccomp process would simply do hardware emulation with IPCs
> for all actual I/O.
>
> Where does the VNC server, the image formats, etc go?  It would be
> nice to confine them too.
>
> In that respect I think Avi's ideas about using safe programming
> languages (even if just a NaCl toolchain) are nice because they are
> more general and apply to all of the codebase.

It's a nice idea but the NaCL toolchain doesn't have a nice upstream story right 
now.

I think seccomp() mode 1 isn't so bad.  It's difficult to boot strap, but once 
you have a reasonable set of RPCs, it shouldn't be all that bad of an 
environment to program in.

One way to think of a seccomp() sandbox is that it emulates the legacy device 
model and translates everything into an ultra-modern, no backwards compat, 
pure-virtio device model.  From a QEMU perspective, it would treat the sandbox 
as part of the guest, and then implement a bare bones machine that only exposed 
the couple of virtio interfaces to the sandbox.  QEMU would then bridge this to 
the various types of backends.

Regards,

Anthony Liguori

>
> Stefan
> --
> To unsubscribe from this list: send the line "unsubscribe kvm" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html