From mboxrd@z Thu Jan 1 00:00:00 1970 From: Joanna Rutkowska Subject: Non-dom0 block backends (was: Re: [PATCH v3 0/5] libxl: call hotplug scripts from libxl) Date: Mon, 23 Apr 2012 15:59:20 +0200 Message-ID: <4F956038.9090004@invisiblethingslab.com> References: <1334928211-29856-1-git-send-email-roger.pau@citrix.com> <4F954747.9030305@invisiblethingslab.com> <4F955999.3030500@citrix.com> <4F955D74.8060602@invisiblethingslab.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8894937155297097642==" Return-path: In-Reply-To: <4F955D74.8060602@invisiblethingslab.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Marek Marczykowski Cc: "xen-devel@lists.xen.org" , Roger Pau Monne List-Id: xen-devel@lists.xenproject.org This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============8894937155297097642== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigDD19693315AF6622E2FD3E7A" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigDD19693315AF6622E2FD3E7A Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 04/23/12 15:47, Marek Marczykowski wrote: /.../ >>> >> Also vbd backend in domU is used - eg to boot HVM from iso, which = is stored in >>> >> some domU. >> >=20 >> > I didn't know you where able to use vbd from driver domains with xl,= if so I >> > will have to add a similar option for vbd devices (disable_xl_vbd_sc= ripts). > When starting domU using xl create, I needed to slightly modify disk co= nfig > syntax in xl_cmdimpl.c to add backend field (still using xen 4.1, backe= nd > added as the end of disk spec). But everything else worked fine. Especi= ally xl > block-attach, which allow to specify backend domain. > So disable_xl_vbd_scripts option will be helpful. On a side note: some cool applications of this: 1) We can have a UsbVM, which has assigned all the USB controllers (pci attach), which greatly minimizes threats from various USB attacks [1] on the overall system. Now, if one plugs a USB disk, those disks can be made available to other domains, without the need for Dom0 to plug them (so no need to parse their, untrusted, partition tables, or other fs metadata). 2) We can store various installation ISOs, e.g. that cool new "hacker" Linux distro ISO, and pass it to an HVM domain (for installation) directly from the VM where we downloaded it (e.g. "untrusted-internet-browsing-vm") without the need to store it first on the Dom0 fs. joanna. [1] http://theinvisiblethings.blogspot.com/2011/06/usb-security-challenges.ht= ml --------------enigDD19693315AF6622E2FD3E7A Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJPlWA4AAoJEDaIqHeRBUM0/2MIAKQtTTs1b031mHNsSF1hLdw+ ufImJx9x8UKANmV6rRS7pAamUVshgB/LxOuzU/2dfyodOmquKHkpKqRMCl1vy7Oy 5FuDFcK75uxyQT59dNOLRYeB1kLovE5vIFL9v2ysmdE9NLgK27OhM/rI5Wlu7zw3 x2btzXTa0MxWNEGCr7zQ+2IPgCqvVs09CS00OSbg6ChE+XCsh7AAmAZ4RkVbDGrf t1h2TkwZRzo/5A/gCXS21CBs4TjUksV6sftwyZ+9jWoGBE0XgHzuuIwqn7/zp8RM CMCiC/FCw8gcWmGL4TLwcWvZYCHxxxM5cdqOdYXrAvrTnvaxu9kyQDS64ueMv/I= =coAg -----END PGP SIGNATURE----- --------------enigDD19693315AF6622E2FD3E7A-- --===============8894937155297097642== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel --===============8894937155297097642==--