LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Qubes beta 1 released

Qubes beta 1 released

Posted Apr 15, 2011 1:01 UTC (Fri) by njs (guest, #40338)
In reply to: Qubes beta 1 released by jarrett.miller
Parent article: Qubes beta 1 released

> a hypervisor does not have to trust the: BIOS, system firmware, or OS that launched it.

I think you need to elaborate on what you mean by "trust" here -- it's a notoriously polysemous word. Certainly if some program's correctness depends on its ability to send packets, then it has to trust the ethernet driver to actually do that. Of course, right now the ethernet driver can also go ahead and read any random piece of host memory that it wants to via DMA -- fixing that would certainly improve things.

> In a TXT style system there is going to be a hypervisor and it protects itself from all of the OS's that it is in control of via hardware protections (basically IOMMU with page protection lists).

Not a critical point, but this is exactly how the kernel works now.

> So when someone exploits that flaw and roots that OS partition then the hypervisor should be able to tell (new executable pages come in to existence or the contents of executable pages change).

We already have NX protection, which does essentially the same thing -- prevents buggy programs from creating new executable code. It helps, but it's by no means a guarantee. There are the clever tricks for accomplishing exploits without generating executable code (return-to-libc and all that), and if you can exploit an environment that contains a JIT or dynamic language runtime then you can perform arbitrary actions without triggering the protections.

So I don't really see how TXT makes that much of a difference.

(Log in to post comments)

Qubes beta 1 released

Posted Apr 15, 2011 13:00 UTC (Fri) by jarrett.miller (guest, #60765) [Link]

1. Trust in the context of that sentence can be defined as trusting the BIOS, firmware, or spawning OS to not disable (either remove it or prevent it from being scheduled or receiving interrupts that it requires) as well as not tamper with (read,write or over write memory owned by the hypervisor).

2. Why are you brining correctness in to this. I never said that TXT had anything to do with correctness. So don't conflate the argument. All I said is that it allows you to get a reliable list of whats running on your computer.

3. On IOMMU. Are you sure you are correct? Last time I went over the kernel source (maybe 12 months ago) the kernel did not use IOMMU to prevent a DMA device from overwriting portions of kernel memory.

4. As it pertains to your last paragraph. TXT makes a big difference when you are talking about kernel level or firmware root kits and not application level exploits.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds