On Saturday, January 13, 2018 at 10:50:11 AM UTC-8, Vít Šesták wrote: > I have one more idea: The Vixen patch could be useful for VMs with PCI > devices. Memory balooning is not supported there anyway. QEMU in dom0 looks > ugly, but this case is a bit different: AFAIU, the attacker can directly talk > to QEMU if and only if she has escaped from PV. Maybe it is not nice, but it > is not that bad either. > > With Qubes 3.2, I believe this can be a clean win. Compared to the proposal > (focusing on VMs with PCI devices only): > > * It fixes the Meltdown. The proposal does not address it for those VMs. > * Attacker can try to break out from both PV and then from HVM or (more > likely) from PV and then pwn QEMU. This is arguably harder than breaking > directly from PV. > > With Qubes 4.0 (still focusing on VMs with PCI devices only), it is still > probably an improvement: > * If attacker can pwn QEMU (but not PV), she can with the current proposal > read the whole memory using Meltdown. With Vixen, QEMU vulnerability is > probably not enough for Meltdown. > * If attacker can escape from PV (but not QEMU), she can do pretty nothing. > Well, with Vixen, she can read the content of the container, but I don't > think this is a serious issue. > * If attacker can both escape from PV and attack QEMU, you are doomed in > either case. > * Theoretically: If attacker can escape from HVM, you are better protected > with Vixen (because attacker needs to escape from PV first). > * If there are some vulnerabilities that do not allow full VM escape, you are > probably still better protected with Vixen. Qemu in dom0 runs as an ordinary > process (so attacks like buffer overread have quite limited impact) and it is > the same case for PV. > > Have I missed something? > > I don't say that Qubes should go this way. Maybe there are better ways to > achieve some goals (especially for 4.0+). I am just saying that QEMU in dom0 > – however horrible it looks – might be acceptable in this special case. > > Regards, > Vít Šesták 'v6ak'
Would using a 32-bit PV provide any additional protection for Xen? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/19b6e545-01ba-4851-be9e-3361341a0ae2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
