QEMU for Xen secure by default
Deprivileging the PC system emulator
Ian Jackson
FOSDEM 2016
with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc.
qemu Emulated IDE controller
Xen PV backend (usually), syscalls (usually) dom0 (usu.dom0) kernel Device driver kernel Device driver
PV HVM ...... from Xen Security Team advisories page, http://xenbits.xen.org/xsa/ Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans
Status Device model Notes bugs mean
PV Fully supported Safe (no DM) Only modified guests
HVM qemu in dom0 Fully supported Vulnerable Current default as root
HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems
HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro
HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans
Status Device model Notes bugs mean
PV Fully supported Safe (no DM) Only modified guests
HVM qemu in dom0 Fully supported Vulnerable Current default as root
HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems
HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro
HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default qemu device model process guest
dom0 kernel guest "dma" domain mmio handling net, storage etc. access control ioport handling interrupts underlying Xen disk, network, etc. Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans
Status Device model Notes bugs mean
PV Fully supported Safe (no DM) Only modified guests
HVM qemu in dom0 Fully supported Vulnerable Current default as root
HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems
HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro
HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default