Hi, What changes would have to be made if I wanted to have a domU create VMs? I tried installing the xen tools into a domU rootfs image, and then booted the domU. However, xend refuses to start inside the domU. I realise the changes might be extensive, but I just want an idea of what needs to be done. Also, I find that hardcoded checks like if (current-> domain->domain_id != 0) return -EPERM are extremely few in the current hypervisor. Regards, Hayawardh _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Hi Hayawardh, There are (at least) a couple of architectural reasons why xend will not work in a DomU: it assumes that XenStore is running in the same domain, and it assumes that the domain running it is privileged. In a normal Xen system, only Dom0 has the privileged bit set (when it is loaded at boot); it is not possible to create another privileged domain using the regular tools. If you did make your DomU privileged, this would make it privileged over all domains, which requires you to trust each DomU with this privilege. This is probably not acceptable from a security point-of-view. If you had the inclination, you could probably conjure up a Xen Security Module that enforced hierarchical privilege, but you would probably still have to modify the tools. If you simply want to be able to create domains from a DomU, have you considered installing xm in that domain and configuring it to use the instance of xend that runs in Dom0? Regards, Derek Murray. On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@gmail.com> wrote:> Hi, > > What changes would have to be made if I wanted to have a domU create VMs? > I tried installing the xen tools into a domU rootfs image, and then booted > the domU. However, xend refuses to start inside the domU. > > I realise the changes might be extensive, but I just want an idea of what > needs to be done. > > Also, I find that hardcoded checks like > if (current-> domain->domain_id != 0) > return -EPERM > are extremely few in the current hypervisor. > > Regards, > Hayawardh > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Derek Murray writes ("Re: [Xen-devel] Enabling domU to create other
domUs"):> If you simply want to be able to create domains from a DomU, have you
> considered installing xm in that domain and configuring it to use the
> instance of xend that runs in Dom0?
The protocol that xm speaks to xend contains the pathnames of the
backing files for block devices and so forth, which are interpreted by
xend, qemu-dm, etc., in the context of dom0.
This may or may not be what you want :-). But it is another way in
which the domU in this case has the ability to mess with the machine
in ways that an untrusted domain shouldn''t. Whether that''s a
problem
depends on whether you wanted Xen (as a whole, including the tools
etc.) to defend you from this domU.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray <Derek.Murray@cl.cam.ac.uk> wrote:> Hi Hayawardh, > > > If you did make your DomU privileged, this would make it privileged > over all domains, which requires you to trust each DomU with this > privilege. This is probably not acceptable from a security > point-of-view. If you had the inclination, you could probably conjure > up a Xen Security Module that enforced hierarchical privilege, but you > would probably still have to modify the tools. >This is exactly what I have in mind. Can you just give me a few additional pointers of what needs to be done with the tools, and the hypervisor? Thanks a lot!> > If you simply want to be able to create domains from a DomU, have you > considered installing xm in that domain and configuring it to use the > instance of xend that runs in Dom0? > > Regards, > > Derek Murray. > > On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@gmail.com> wrote: > > Hi, > > > > What changes would have to be made if I wanted to have a domU create VMs? > > I tried installing the xen tools into a domU rootfs image, and then > booted > > the domU. However, xend refuses to start inside the domU. > > > > I realise the changes might be extensive, but I just want an idea of what > > needs to be done. > > > > Also, I find that hardcoded checks like > > if (current-> domain->domain_id != 0) > > return -EPERM > > are extremely few in the current hypervisor. > > > > Regards, > > Hayawardh > > > > _______________________________________________ > > Xen-devel mailing list > > Xen-devel@lists.xensource.com > > http://lists.xensource.com/xen-devel > > > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
There have been a few (brief) discussions about disaggregating dom0 (see Derek''s slides from the 2007 Xen Summit: http://xen.org/files/xensummit_fall07/22_DerekMurray.pdf) and they all involved de-privileging the domain builder. If you''re up for doing some work, I''d recommend that approach as it will not only solve your problem but also bring the community a step closer to a de-privileged dom0. joe From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Hayawardh V Sent: Tuesday, July 08, 2008 7:46 PM To: xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Enabling domU to create other domUs On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray <Derek.Murray@cl.cam.ac.uk> wrote: Hi Hayawardh, If you did make your DomU privileged, this would make it privileged over all domains, which requires you to trust each DomU with this privilege. This is probably not acceptable from a security point-of-view. If you had the inclination, you could probably conjure up a Xen Security Module that enforced hierarchical privilege, but you would probably still have to modify the tools. This is exactly what I have in mind. Can you just give me a few additional pointers of what needs to be done with the tools, and the hypervisor? Thanks a lot! If you simply want to be able to create domains from a DomU, have you considered installing xm in that domain and configuring it to use the instance of xend that runs in Dom0? Regards, Derek Murray. On Mon, Jul 7, 2008 at 6:14 PM, Hayawardh V <hayawardh@gmail.com> wrote: > Hi, > > What changes would have to be made if I wanted to have a domU create VMs? > I tried installing the xen tools into a domU rootfs image, and then booted > the domU. However, xend refuses to start inside the domU. > > I realise the changes might be extensive, but I just want an idea of what > needs to be done. > > Also, I find that hardcoded checks like > if (current-> domain->domain_id != 0) > return -EPERM > are extremely few in the current hypervisor. > > Regards, > Hayawardh > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Cihula, Joseph writes ("RE: [Xen-devel] Enabling domU to create other
domUs"):> If you''re up for doing some work, I''d recommend that
approach as it will
> not only solve your problem but also bring the community a step closer
> to a de-privileged dom0.
I agree with this (although the original enquirer may find that this
is not necessarily the most expedient path to solving their problem).
Hayawardh V writes ("Re: [Xen-devel] Enabling domU to create other
domUs"):> On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray
<Derek.Murray@cl.cam.ac.uk>
> wrote:
> > [...] you could probably conjure up a Xen Security Module that
> > enforced hierarchical privilege, but you would probably still have
> > to modify the tools.
I would not recommend using the Xen Security Modules arrangements.
There are quite a few bugs in this code, including some very serious
security bugs (which sadly we aren''t allowed to give more information
about as the reports were embargoed).
Unfortunately turning on the XSM support is likely to result in a
substantially less secure system.
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
On Wed, Jul 9, 2008 at 8:38 AM, Ian Jackson <Ian.Jackson@eu.citrix.com> wrote:> Cihula, Joseph writes ("RE: [Xen-devel] Enabling domU to create other > domUs"): > > If you''re up for doing some work, I''d recommend that approach as it will > > not only solve your problem but also bring the community a step closer > > to a de-privileged dom0. > > I agree with this (although the original enquirer may find that this > is not necessarily the most expedient path to solving their problem). > > Thanks all for the suggestions. I am envisioning a system where each domainhas the capability to create/destroy any domain and perform any task. In effect, all domains should have the power of the current-day dom0. The XSM policy should control which domain can do what. Isn''t this the most general approach? If the capability of domain creation is separated into a domB, still only domB will be capable of creating a domain. (Of course, if all domains have full power, then the size of the TCB will depend on the properties of the policy).> I would not recommend using the Xen Security Modules arrangements. > There are quite a few bugs in this code, including some very serious > security bugs (which sadly we aren''t allowed to give more information > about as the reports were embargoed). > > Unfortunately turning on the XSM support is likely to result in a > substantially less secure system. >I agree that XSM today may be insufficient, but I am not going to use it in a production system, and hopefully it will mature in the future. Hayawardh> > Ian. >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
I see that Xen roadmap has the following: More interestingly, it would be useful to be able to delegate privilege such as to be able to grant a domain permission to perform a certain privileged operation on some specified other domain or group of domains. This leads naturally to a hierarchical model of domain resource allocation and permission, for example allowing a domain with only a very restricted privilege capability to create a new domain by carving it out of its own resource allocation. It would then have full control over this domain, allowing it to destroy it, pause it, map its pages, attach a debugger etc.>*From Xen''s low-level `datapath'' point of view we want to flatten this*hierarchy to keep the privilege check operations as simple as possible, with only the control operations having to worry about the extra complexity. Citing the example in the previous paragraph of having one domain build another, this should be quite achievable as some care is already taken to have the domain builder use standard unprivileged interfaces. http://lists.xensource.com/archives/html/xen-devel/2006-07/msg00374.html I am wondering if there is any real use for a hierarchy in the real world? Has there been any discussion on this before? Thanks, Hayawardh _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel