not about Xen in particular, but as a side note, because I think some people are interested in trusted computing and virtualization? If you''re not, sorry for the intrusion! http://www.research.ibm.com/secure_systems_department/projects/tcglinux/ "Currently, we experiment measuring the information flow on SELinux systems to reason about isolation properties of a system. For this purpose, we modified tcgLinux to run as an LSM kernel module stacked on top of SELinux. We also envision to extend our attestation method to integrate virtualization technology and partition the attestation space of a system using the information flow policies enforced therein." ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Hi Folks, Does usb devices works with Xen2.0, even when only domaim0 is present? does it work with multiple domains? if Yes, how to make it work? Thanks, Sanjay ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
> Does usb devices works with Xen2.0, even when only domaim0 is present?Yes, we''ve had success reports.> does it work with multiple domains?Depends what you mean. Dom0 will by default control all the USB devices. If you want another domain to control a USB root hub device, you can assign it permissions, as for a driver domain. If you have a USB disk or network device, you can share it with other domains just like you can for any other disk or network device. My USB virtualisation stuff (give guests control of individual USB ports) is in progess but I keep getting distracted by other things (most recently the 2.0 release).> if Yes, how to make it work?To make it work in dom0, just stick it in the Linux kernel config and it should Just Work(TM). HTH, Mark ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
Tim Freeman wrote:> not about Xen in particular, but as a side note, because I think some > people are interested in trusted computing and virtualization? If > you''re not, sorry for the intrusion! > > http://www.research.ibm.com/secure_systems_department/projects/tcglinux/ > > "Currently, we experiment measuring the information flow on SELinux > systems to reason about isolation properties of a system. For this > purpose, we modified tcgLinux to run as an LSM kernel module stacked on > top of SELinux. We also envision to extend our attestation method to > integrate virtualization technology and partition the attestation space > of a system using the information flow policies enforced therein."# [tcgLinux]''s main goal is to generate verifiable representative information # about the software stack running on a Linux system. This information can # be used by remote parties to determine the integrity of the execution # environment. Can it, though? The assumption seems to be that fingerprinting executables is sufficient to characterise the security configuration of a system. AFAICS that''s patently false: the security of a system is dependent on its complete configuration, including many non-executable files. IOW, anyone can compromise a system without changing any executable files. # We instrumented the Linux kernel to trigger a measurement for each # executable, library, or kernel module loaded into the run-time before # they affect the system. Yep, only executables. This seems quite useless. -- David Hopwood <david.nospam.hopwood@blueyonder.co.uk> ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel
On Tue, 19 Oct 2004 00:16:43 +0100 David Hopwood <david.nospam.hopwood@blueyonder.co.uk> wrote: [...]> Yep, only executables. This seems quite useless.You have a good point, but maybe combining this method with virtual machines can actually address the problem? I had never heard of the IBM project, so it was curious to see a real implementation (that even supposedly runs on my laptop). Here are two interesting papers out there that specifically address the executable problem. I can''t attest (har har) to the "correctness" of these approaches, but it is an interesting subject: http://www.usenix.org/events/vm04/tech/haldar/haldar_html/ "The goal is to attest program behavior, not a particular binary." page 4, http://suif.stanford.edu/papers/sosp03-terra.pdf Certification of a VM being loaded by the TVMM involves the TVMM signing a hash of all persistent state that identifies the VM. This includes the BIOS, executable code, and constant data of the VM. This does not include temporary data on persistent storage or NVRAM contents that constantly change over time. The separa- tion between data which does and does not need to be included in the attestation is application-specific, made by the VM''s developer. Terra supports these two type of data by providing VMs with both "attested storage" that the TVMM incorporates in the VM''s hash and "unattested storage" that it does not (see section 4.2).> > -- > David Hopwood <david.nospam.hopwood@blueyonder.co.uk> > > > > ------------------------------------------------------- > This SF.net email is sponsored by: IT Product Guide on ITManagersJournal > Use IT products in your business? Tell us what you think of them. Give us > Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more > http://productguide.itmanagersjournal.com/guidepromo.tmpl > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/xen-devel >------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel