Linux stub domains

From Xen

Linux stub domains are used in QubesOS and OpenXT.

Upstreaming

todo: add remaining patches

00/17 Add support for qemu-xen runnning in a Linux-based stubdomain:

05/17 libxl: Handle Linux stubdomain specific QEMU options:

08/17 xl: add stubdomain related options to xl config parser

Interfaces between stubdom QEMU and dom0

Xen Summit 2019 Design Session

Display architecture proposed by Brendan K

  • migrate from display changer on Qubes and OpenXT surfman, to upstream Xen interfaces (from EPAM)
  • use Linux 5.1 drm-front driver for displayif
  • share common codebase for: EPAM, Qubes, OpenXT, Redfield

2019-07-common-linux-stubdom.png


QMP discussion

Proposal:

- LibXL and block backend: change "xenstore stuff" to "QMP stuff"

Concerns:

  1. QMP is not a simple protocol.
  2. xenstore-based protocol is much simpler than a JSON-encapsulated protocol.
  3. There have been multiple historical bugs in parsing of JSON in C.
  4. If we extend QMP support in LibXL and are communicating with a potentially compromised QEMU process, it would be a security regression.

Possible mitigations for a potentially compromised QEMU

  1. Reduce privileges given to the QEMU instance
  2. Limit interfaces to the QEMU instance
  3. Work with upstream QEMU to propose a new safer-than-JSON alternative marshalling format backend
  4. Minimize what LibXL does with QMP messages: use an off-the-shelf JSON firewall/translator/filter in the untrusted guest, limited to the QEMU subset of JSON
  5. Don't talk to QEMU after the device is started: mostly done today, but does not work for some corner cases: optical drive insert, device hotplug
  6. Have an option to intentionally break all QMP communications

Other notes:

  • Qubes uses dracut for build, OpenXT uses OE
  • For OpenXT/Qubes, many QEMU functions can build-time disabled
  • For Debian/SuSE distro, the generic QEMU binary has many functions enabled. It may be an option to ship "minimal QEMU" and "minimal kernel" configured binaries for distro stubdoms.

Actions:

  • Marek to resubmit Linux stubdom patches to xen-devel, ask people to comment on which patches have consensus or open discussion items
  • Ian J can review patches in mid-August
  • Upstream Xen will merge the ones which are not contended
  • Work towards consensus on contended patches