From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Re: [RFC PATCH 0/18] Xenstore stub domain Date: Thu, 12 Jan 2012 12:35:54 +0100 Message-ID: <4F0EC59A.8070905@invisiblethingslab.com> References: <1326302490-19428-1-git-send-email-dgdegra@tycho.nsa.gov> <4F0EB6ED.3030900@invisiblethingslab.com> <20120112104802.GA47092@ocelot.phlegethon.org> <1326367666.17210.244.camel@zakaz.uk.xensource.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7296830909815970996==" Return-path: In-Reply-To: <1326367666.17210.244.camel@zakaz.uk.xensource.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Ian Campbell Cc: Daniel De Graaf , "xen-devel@lists.xensource.com" , Tim Deegan List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============7296830909815970996== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig100C243CF697D91A379B3543" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig100C243CF697D91A379B3543 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 01/12/12 12:27, Ian Campbell wrote: > On Thu, 2012-01-12 at 10:48 +0000, Tim Deegan wrote: >> At 11:33 +0100 on 12 Jan (1326367997), Joanna Rutkowska wrote: >>> Daniel, >>> >>> Can you explain what is the rationale for moving the xenstored into a= >>> stubdom? After all, if an attacker is able to compromise the xenstore= d, >>> there should be many ways now how to compromise other VMs in the syst= em? >>> And it shouldn't matter whether the xenstored is in stubdom or whethe= r >>> in Dom0. E.g. the attacker might redirect the block fronts to us some= >>> false block backends, so that the VMs get compromised fs. One could >>> probably think of other attacks as well...? >> >> I think the point is to protect xenstore from dom0, not dom0 from >> xenstore. With stub-xenstore and driver domains, only the domain >> builder and PCIback need to have any privilege, and they can be moved >> out of dom0 too (e.g., http://dl.acm.org/citation.cfm?id=3D1346278 , >> http://tjd.phlegethon.org/words/sosp11-xoar.html) >=20 > Also by isolating components you gain the ability to restart them > independently. Since xenstored is one of (the only?) dom0 component > which cannot be trivially restarted so putting it in a separate domain > means you can restart dom0. >=20 But why would anybody want to restart Dom0, in the first place? --------------enig100C243CF697D91A379B3543 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPDsWaAAoJEDaIqHeRBUM0XkkIAI250bLkYKJWp37SCHppU+Av J1/xZ4n7dW2KvipFwSmmfj2ucPuH1BDhRVOTvQx3LmGJbjyUzXt6FI48NQTWJ+IL cKH+Wb31ARUX6IH7ANA5i4DS8Sce4k22fTHfAsZzg0OAEqABZEmTXIeSQbvMmjBv LHpB+ThMDTzLNOtK2MBpXZ9zHISKgH/pW1znE1K/fSM5WgGsxVwAH6DNnzmD7x/t XSONKx4UhfOcOw+8tuzK9bPiAtewiUxleXO88JLXUt7FjDhrxdKv64y51KesIW22 8/0+aBpd7u0VaBsoO8FFSLTQxTi5WOL3dtiQ/xXN8JoRCy5Lqugp0eHwCGR2x5E= =fTaE -----END PGP SIGNATURE----- --------------enig100C243CF697D91A379B3543-- --===============7296830909815970996== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel --===============7296830909815970996==--