Linux stub domains
- (2018) Linux-based Device Model Stubdomains in Qubes OS, Marek Marczykowski-Górecki
- (2018) Xen Security Weather Report 2018, Lars Kurth
- (2017) MSI support for PCI device pass-through with stub domains, Simon Gaiser
todo: add remaining patches
00/17 Add support for qemu-xen runnning in a Linux-based stubdomain:
05/17 libxl: Handle Linux stubdomain specific QEMU options:
08/17 xl: add stubdomain related options to xl config parser
- Jul 2018, v1 patch
Interfaces between stubdom QEMU and dom0
Xen Summit 2019 Design Session
Display architecture proposed by Brendan K
- migrate from display changer on Qubes and OpenXT surfman, to upstream Xen interfaces (from EPAM)
- use Linux 5.1 drm-front driver for displayif
- share common codebase for: EPAM, Qubes, OpenXT, Redfield
- LibXL and block backend: change "xenstore stuff" to "QMP stuff"
- QMP is not a simple protocol.
- xenstore-based protocol is much simpler than a JSON-encapsulated protocol.
- There have been multiple historical bugs in parsing of JSON in C.
- If we extend QMP support in LibXL and are communicating with a potentially compromised QEMU process, it would be a security regression.
Possible mitigations for a potentially compromised QEMU
- Reduce privileges given to the QEMU instance
- Limit interfaces to the QEMU instance
- Work with upstream QEMU to propose a new safer-than-JSON alternative marshalling format backend
- Minimize what LibXL does with QMP messages: use an off-the-shelf JSON firewall/translator/filter in the untrusted guest, limited to the QEMU subset of JSON
- Don't talk to QEMU after the device is started: mostly done today, but does not work for some corner cases: optical drive insert, device hotplug
- Have an option to intentionally break all QMP communications
- Qubes uses dracut for build, OpenXT uses OE
- For OpenXT/Qubes, many QEMU functions can build-time disabled
- For Debian/SuSE distro, the generic QEMU binary has many functions enabled. It may be an option to ship "minimal QEMU" and "minimal kernel" configured binaries for distro stubdoms.
- Marek to resubmit Linux stubdom patches to xen-devel, ask people to comment on which patches have consensus or open discussion items
- Ian J can review patches in mid-August
- Upstream Xen will merge the ones which are not contended
- Work towards consensus on contended patches