WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

RE: [Xen-users] Xen binary distrib's kernel as domU kernel

To: "Ulrich Windl" <ulrich.windl@xxxxxxxxxxxxxxxxxxxx>, xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Xen binary distrib's kernel as domU kernel
From: "Petersson, Mats" <Mats.Petersson@xxxxxxx>
Date: Thu, 11 Jan 2007 12:00:46 +0100
Delivery-date: Thu, 11 Jan 2007 03:00:55 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <45A5F4CA.20189.5416217@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acc1UgqIcjXCh6NYTwa4UCh50JzvdQAHT3mQ
Thread-topic: [Xen-users] Xen binary distrib's kernel as domU kernel
 

> -----Original Message-----
> From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx 
> [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of 
> Ulrich Windl
> Sent: 11 January 2007 07:27
> To: xen-users@xxxxxxxxxxxxxxxxxxx
> Subject: Re: [Xen-users] Xen binary distrib's kernel as domU kernel
> 
> On 10 Jan 2007 at 20:23, Sipos Ferenc wrote:
> 
> > Hi All,
> > 
> > just a quicky. Is it a security breach (by any means) if I run the
> > official XenSource e.g. vmlinuz-2.6-xen kernel as my domU kernel? I
> 
> AFAIK, openSUSE (SLES10) uses the very same kernel to boot 
> Dom0 and DomUs. It's 
> conventient if you think about kernel updates and kernel 
> security fixes. However 
> each DomU has it's own copy of the kernel that's used to boot 
> the DomU.
> 
> Never had an unsafe feeling with that.

I agree. The "safety" of DomU vs. Dom0 doesn't come from the
configuration of the kernel - It's the Xen hypervisor that knows if a
domain is Dom0 or DomU that makes it safe - and no matter what kernel
you load, DomU's will still not be able to do things they shouldn't,
since Xen itself will prevent it. Well, ok, so xend and some other tools
will also be involved in determining what gets set up for the kernel,
which in turn enables/disables some of the features, but those decisions
are still based on the information from the hypervisor when the Domain
is started - there can only be one Dom0. 

--
Mats
> 
> Ulrich
> 
> 
> > mean, this has the 'Privilege domain' option compiled in 
> (as the very
> > same one runs under the dom0 itself) as well as the 
> {net,block}-backend
> > drivers?
> > 
> > I'm using it in a potentially malicious environment (VPS 
> hosting) and I
> > want to make sure noone can tamper with system from a domU 
> the way that
> > is not desirable.
> > 
> > Thanks for your time in advance,
> > Frank
> > 
> > 
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
> 
> 
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 
> 
> 



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users