User: Password:
|
|
Subscribe / Log in / New account

Xen: finishing the job

Xen: finishing the job

Posted Mar 4, 2009 16:59 UTC (Wed) by mday_ii (subscriber, #25315)
Parent article: Xen: finishing the job

Xen is not a full hypervisor until it loads the first domain - dom0, which is (except for Sun's Xen) a Linux kernel + userspace. (Hence the patchset). Without dom0 Xen does not have any device support (other than cpu/mmu/ioapic), management or control interfaces, or accessibility (terminal or vnc server). So it is not correct to say Xen is different from KVM in the sense that only KVM requires a Linux host: so does Xen. Again, you don't have a Xen hypervisor without a dom0 Linux. So really, the Xen hypervisor is not any more lightweight than KVM, and you can't run it standalone (not if you want it to run any guests). When making this calculus, Xen + dom0 is significantly more kloc than KVM + toolchain.

When evaluating Xen for security, you must audit the dom0 kernel + userspace right along with the Xen kernel. dom0 is a fully privileged guest - it has access to memory for all other guests. You end up with more kloc to evaulate with Xen than with KVM.

KVM also supports PCI device pass-through (the feature which allows each device to be driven by a separate domain. KVM runs paravirtual Linux kernels using the standard paravirt-ops interface.

Xen's approach to managing guest page tables (paravirtualization and batching of page table updates) will lose its benefit quickly as EPT (nested page table) support moves guest page table management into the processor. Nehalem and Barcelona both support this feature, which in some tests eliminates more than 90% of traps into the hypervisor.


(Log in to post comments)

Xen: finishing the job

Posted Mar 5, 2009 10:12 UTC (Thu) by dw (subscriber, #12017) [Link]

Surely when 'measuring' the security of KVM, one should also take into account the security of Qemu (see for example this paper which is pretty damning).

Xen: finishing the job

Posted Mar 5, 2009 13:56 UTC (Thu) by mday_ii (subscriber, #25315) [Link]

Xen also uses Qemu for device emulation.

Xen: finishing the job

Posted Mar 8, 2009 4:33 UTC (Sun) by landley (subscriber, #6789) [Link]

You're aware that paper is several years old, right? It doesn't have a clear publication date attached, and you have to read all the way to page 3 to find:

> QEMU 0.8.2 was the latest version available as of this
> writing, which was used in its default configuration.

That was released July 22, 2006. That's about when the 2.6.17 kernel was released. So you're saying "look at all these bugs an old version of the project had". Keeping in mind that the project only _launched_ in 2003, it shouldn't come as a surprise that back when it was only 3 years old it didn't even have working x86-64 support yet (and even x86 had a very restricted and buggy set of hardware it could emulate), so its development community hadn't started paying attention to security auditing device emulations just yet. They were too busy trying to add enough features to make it usable.

I also note that the first place I saw that paper is when it was linked from the qemu development mailing list shortly after it came out, and that's when the developers went "oh, people are trying to use it for honeypots? Ok, we'd better add bounds checking and such then".

The qemu development community has roughly quadrupled in size since then, guesstimating by list traffic and source control commits...

The current qemu is 0.10.0, released March 4th. Among other new features, it integrates kvm support in the base qemu. Just FYI.

Rob

Xen: finishing the job

Posted Mar 12, 2009 23:57 UTC (Thu) by efexis (guest, #26355) [Link]

"Xen is not a full hypervisor until it loads the first domain - dom0"

Yes but the domU's can't talk directly to the dom0 without going through the hypervisor code though can they? This means that dom0 doesn't have to be provably secure if the hypervisor is. The hypervisor is acting like a firewall between networks, and the smaller and simpler this bit of code is, the easier it is to reach higher levels of certainty that the system is secure.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds