QEMU for Xen Secure by Default

QEMU for Xen secure by default

Deprivileging the PC system emulator

Ian Jackson

FOSDEM 2016

with assistance from Stefano Stabellini guest guest Xen PV driver IDE driver Xen PV protocol mmio, dma, etc.

qemu Emulated IDE controller

Xen PV backend (usually), syscalls (usually) dom0 (usu.dom0) kernel Device driver kernel Device driver

PV HVM ...... from Xen Security Team advisories page, http://xenbits.xen.org/xsa/ Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans

Status Device model Notes bugs mean

PV Fully supported Safe (no DM) Only modiﬁed guests

HVM qemu in dom0 Fully supported Vulnerable Current default as root

HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems

HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro

HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans

Status Device model Notes bugs mean

PV Fully supported Safe (no DM) Only modiﬁed guests

HVM qemu in dom0 Fully supported Vulnerable Current default as root

HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems

HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro

HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default qemu device model process guest

dom0 kernel guest "dma" domain mmio handling net, storage etc. access control ioport handling interrupts underlying Xen disk, network, etc. Xen on x86 modes, and device model bug implications Current status for users of upstream Xen and distros and future plans

Status Device model Notes bugs mean

PV Fully supported Safe (no DM) Only modiﬁed guests

HVM qemu in dom0 Fully supported Vulnerable Current default as root

HVM qemu stub DM Upstream but not Safe Ancient qemu qemu-xen-trad. in most distros. Build system problems

HVM qemu stub DM In progress Safe Rump build system rump kernel Hard work! is mini distro

HVM qemu dom0 Targeting No privilege esc. Defence in depth not as root Xen 4.7 Maybe dom0 DoS Hopefully, will be default