WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] Enabling domU to create other domUs

from [Hayawardh V] [Permanent Link][Original]
To: "Ian Jackson" <Ian.Jackson@xxxxxxxxxxxxx>
Subject: Re: [Xen-devel] Enabling domU to create other domUs
From: "Hayawardh V" <hayawardh@xxxxxxxxx>
Date: Thu, 10 Jul 2008 08:46:11 -0400
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Thu, 10 Jul 2008 05:46:33 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=AFhbJQMPOdGzaLDaAYjnmRXfbiHoP9iDJv+LjydsHKQ=; b=KhWexjWI5xqRpDXOXiSUuRrXgJNdiaa3OLRuVoy7M1ugwGTpin86DYFQQ8IkW2SrMc n5nbDfZUd5x0IO8Emv92mYKi1PXU7H4nPFOElENvoit9h0DCir0FaWoBhIjeoLLcuLvu twbeW75eHD8Xtp7FtFPFQ+RIfDIHR2VN81Ejk=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=sO4MTQdx4dwzuULgnE1WlvllcWFxqG3jfCzQnZZckcjob2b2A/Dr6v+QGDdYINfstx 9RsDDlIH+tqN4LpNfLvg3/wHNf9fD+Vr+s8F/CbIrMl/XQ7S+Xm/dvieTTp5W/je/7cf rrxTIe8TT+MtzlL3x1BL75k2MobT9hH97fld4=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <18548.45358.334113.690163@xxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <68f1f87c0807071014y69c3d573y2ef0d6c487371710@xxxxxxxxxxxxxx> <617dbaa80807080925l85f43bfje39e15bb22954b70@xxxxxxxxxxxxxx> <D936D925018D154694D8A362EEB0892004E07EFB@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> <68f1f87c0807081945m72a886abn4fd5020cb4a57f2a@xxxxxxxxxxxxxx> <18548.45358.334113.690163@xxxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx


On Wed, Jul 9, 2008 at 8:38 AM, Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx> wrote:
Cihula, Joseph writes ("RE: [Xen-devel] Enabling domU to create other domUs"):
> If you're up for doing some work, I'd recommend that approach as it will
> not only solve your problem but also bring the community a step closer
> to a de-privileged dom0.

I agree with this (although the original enquirer may find that this
is not necessarily the most expedient path to solving their problem).

Thanks all for the suggestions. I am envisioning a system where each domain has the capability to create/destroy any domain and perform any task. In effect, all domains should have the power of the current-day dom0. The XSM policy should control which domain can do what. Isn't this the most general approach?

If the capability of domain creation is separated into a domB, still only domB will be capable of creating a domain.
(Of course, if all domains have full power, then the size of the TCB will depend on the properties of the policy).


I would not recommend using the Xen Security Modules arrangements.
There are quite a few bugs in this code, including some very serious
security bugs (which sadly we aren't allowed to give more information
about as the reports were embargoed).

Unfortunately turning on the XSM support is likely to result in a
substantially less secure system.

I agree that XSM today may be insufficient, but I am not going to use it in a production system, and hopefully it will mature in the future.

Hayawardh

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] porting xen-detect ASM code into a shared library, Keir Fraser
Next by Date:  [Xen-devel] [PATCH] PV-GRUB: xfs support, Samuel Thibault
Previous by Thread:  Re: [Xen-devel] Enabling domU to create other domUs, Ian Jackson
Next by Thread:  SOLD OUT -- -Rolex Watchs under 250$ bekzzk, Scotty Gregg
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy