A thread on the OpenBSD -misc mailing list [1] began by discussing whether or not XEN had been ported to OpenBSD, "is it planned at some point to release a paravirtualized xen kernel for OpenBSD 4.3 or 4.4?" Later in the discussion it was suggested that virtualization should be a priority for security reasons, "virtualization seems to have a lot of security benefits." OpenBSD creator Theo de Raadt strongly disagreed with this assertion, "you've been smoking something really mind altering, and I think you should share it." He went on to describe virtualization as "something on the shelf, [which] has all sorts of pretty colours, and you've bought it", explaining:
"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
Later in the thread, Theo went on to note, "if the actual hardware let us do more isolation than we do today, we would actually do it in our operating system. The problem is the hardware DOES NOT actually give us more isolation abilities, therefore the VM does not actually do anything what the say they do." He then suggested that companies marketing virtualization should soften their claims to something supportable, such as, "yes, it [increases] hardware utilization, and the nasty security impact might be low".
From: carlopmart <carlopmart@...>
Subject: About Xen: maybe a reiterative question but ..
[1]Date: Oct 22, 4:05 am 2007
Hi all,
I know that time to time somebody do the same question, but I need to know it:
is it planned at some point to release a paravirtualized xen kernel for OpenBSD
4.3 or 4.4???
In March'08 I need to virtualize two openbsd servers under xen (host doesn't
supports HVM guests). But if it is not possible, I will migrate to NetBSD ...
Many thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
From: ropers <ropers@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[1]Date: Oct 22, 2:36 pm 2007
On 22/10/2007, carlopmart <carlopmart@gmail.com> wrote:
> Hi all,
>
> I know that time to time somebody do the same question, but I need to know it:
> is it planned at some point to release a paravirtualized xen kernel for OpenBSD
> 4.3 or 4.4???
It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen
"guest"**), but AFAIK you still can't run OpenBSD Dom0s (ie. run
OpenBSD as a Xen "host"**).
See http://www.ropersonline.com/openbsd/xen/ [2]
** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an
emulator. The Domain U installs are not really running as guest OSes,
and the Domain zero installations are not really running as host OSes.
But you need at least one Dom0 (which when I last looked into this
still could not be OpenBSD) and you can install OpenBSD as a DomU.
I know very little, apart from having been curious once. If you want
to know more, you probably really should talk to Christoph Egger, who
did the actual porting work.
Thanks and regards,
--ropers
From: Nick Guenther <kousue@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[2]Date: Oct 22, 3:11 pm 2007
On 10/22/07, ropers <ropers@gmail.com> wrote:
> On 22/10/2007, carlopmart <carlopmart@gmail.com> wrote:
> > Hi all,
> >
> > I know that time to time somebody do the same question, but I need to know it:
> > is it planned at some point to release a paravirtualized xen kernel for OpenBSD
> > 4.3 or 4.4???
>
> It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen
> "guest"**), but AFAIK you still can't run OpenBSD Dom0s (ie. run
> OpenBSD as a Xen "host"**).
>
> See http://www.ropersonline.com/openbsd/xen/ [3]
>
> ** This is a flawed metaphor, because Xen is a _hypervisor_, NOT an
> emulator. The Domain U installs are not really running as guest OSes,
> and the Domain zero installations are not really running as host OSes.
> But you need at least one Dom0 (which when I last looked into this
> still could not be OpenBSD) and you can install OpenBSD as a DomU.
>
So that means that OpenBSD has code in it right now that detects if
it's running under Xen and paravirtualizes itself?
-Nick
From: Jeff Quast <af.dingo@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[3]Date: Oct 22, 6:07 pm 2007
On 10/22/07, Nick Guenther <kousue@gmail.com> wrote:
> On 10/22/07, ropers <ropers@gmail.com> wrote:
> > On 22/10/2007, carlopmart <carlopmart@gmail.com> wrote:
> > > Hi all,
> > >
> > > I know that time to time somebody do the same question, but I need to know it:
> > > is it planned at some point to release a paravirtualized xen kernel for OpenBSD
> > > 4.3 or 4.4???
yum
> > It already exists. You can run OpenBSD DomUs (ie. run OpenBSD as a Xen
> > "guest"**), but AFAIK you still can't run OpenBSD Dom0s (ie. run
> > OpenBSD as a Xen "host"**).
> >
> > See http://www.ropersonline.com/openbsd/xen/ [4]
> >
true
> > But you need at least one Dom0 (which when I last looked into this
> > still could not be OpenBSD) and you can install OpenBSD as a DomU.
Only recently using HVM, not paravirtualization
> So that means that OpenBSD has code in it right now that detects if
> it's running under Xen and paravirtualizes itself?
>
no
I would like to vouch for openbsd working great as a guest, but my
guest has crashed a dozen times. However I think this is due to the
debian linux dom0 having broken sata code for the controller in use.
dom0's dmesg is filled with debug statements from sata related places
in the kernel that should never be printed. We're in a messy
de-centralized linux development world trying to get a stable dom0
patched together. It sucks.
The paravirtualization port appears dead to me. I've tried to keep up
on it, but the guy's blog no longer mentions it, his repository is
often down, and when it is up the commits do not appear to be very
frequent. Also his blog hasn't mentioned it in a year or more.
http://hg.recoil.org/openbsd-xen-sys.hg [5]
http://anil.recoil.org/blog/ [6]
From: ropers <ropers@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[6]Date: Oct 22, 7:11 pm 2007
On 23/10/2007, Jeff Quast <af.dingo@gmail.com> wrote:
> I would like to vouch for openbsd working great as a guest, but my
> guest has crashed a dozen times. However I think this is due to the
> debian linux dom0 having broken sata code for the controller in use.
> dom0's dmesg is filled with debug statements from sata related places
> in the kernel that should never be printed. We're in a messy
> de-centralized linux development world trying to get a stable dom0
> patched together. It sucks.
This is what I meant to hint at earlier: Running an OpenBSD DomU in
connection with, say, a Linux Xen Dom0 possibly makes that OpenBSD
installation subject to bugs in the hypervisor/Dom0, and that may be
unavoidable. The question is, is that a worthwhile trade-off? Is this
a reason not to support Xen? Or should the user be given that option
regardless of the inherent limitations and consequences?
--ropers
From: Luca Corti <luca@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[6]Date: Oct 23, 4:03 am 2007
On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:
> unavoidable. The question is, is that a worthwhile trade-off? Is this
> a reason not to support Xen? Or should the user be given that option
> regardless of the inherent limitations and consequences?
A proper Dom0 port of XEN to OpenBSD would solve this by removing the
linux dependency. However this would probably require a significant
effort on OpenBSD side and a XEN Hypervisor code audit.
Also from earlier discussion on the list it seems this kind of
virtualization may impact on security, which is in direct contrast with
OpenBSD goals. Can someone elaborate more on this?
ciao
Luca
From: <adam.getchell@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[6]Date: Oct 23, 8:57 pm 2007
Virtualization seems to have a lot of security benefits. Rootkits can lie to DomU but not Dom0, and of course snapshotting, migration etc is *really* nice.
Dom0 in OpenBSD in a current Xen implementation (with HVM) would be a dream. I'd switch wholesale, and buy a CD for every server (as I do now). But doubtless there are a whole host of issues, kernel, SMP, bootloaders (I found OpenBSDs bootloader to be superior to grub in Ubuntu 7.10, it detects media bay HDs, and the installer is fast, efficient, and doesn't crap out on certain video cards/monitors), an LVM, iSCSI support -- and I have no code to contribute, so I will merely remain hopeful without expectation.
I tried NetBSD Xen, but it seemed the worst of both worlds. Pf circa 3.7, hacks for grub, old version of Xen (2.x series IIRC) without support for the most interesting features, not the same level of security focus, etc.
So I just picked the best tool for the job.
I'm happier our webservers are now on OpenBSD with CARP failover.
--
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
-----Original Message-----
From: Luca Corti <luca@leenoox.net>
Date: Tue, 23 Oct 2007 10:03:42
To:ropers <ropers@gmail.com>
Cc:Jeff Quast <af.dingo@gmail.com>, OpenBSD-Misc <misc@openbsd.org>, Nick Guenther <kousue@gmail.com>
Subject: Re: About Xen: maybe a reiterative question but ..
On Tue, 2007-10-23 at 01:11 +0200, ropers wrote:
> unavoidable. The question is, is that a worthwhile trade-off? Is this
> a reason not to support Xen? Or should the user be given that option
> regardless of the inherent limitations and consequences?
A proper Dom0 port of XEN to OpenBSD would solve this by removing the
linux dependency. However this would probably require a significant
effort on OpenBSD side and a XEN Hypervisor code audit.
Also from earlier discussion on the list it seems this kind of
virtualization may impact on security, which is in direct contrast with
OpenBSD goals. Can someone elaborate more on this?
ciao
Luca
From: Theo de Raadt <deraadt@...>
Subject: Re: About Xen: maybe a reiterative question but ..
[6]Date: Oct 23, 9:14 pm 2007
> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you
should share it.
x86 virtualization is about basically placing another nearly full
kernel, full of new bugs, on top of a nasty x86 architecture which
barely has correct page protection. Then running your operating
system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a
worldwide collection of software engineers who can't write operating
systems or applications without security holes, can then turn around
and suddenly write virtualization layers without security holes.
You've seen something on the shelf, and it has all sorts of pretty
colours, and you've bought it.
That's all x86 virtualization is.From: Henning Brauer <lists-openbsd@...> Subject: Re: About Xen: maybe a reiterative question but .. [6]Date: Oct 24, 4:18 am 2007 * adam.getchell@gmail.com [7] <adam.getchell@gmail.com> [2007-10-24 03:03]: > Virtualization seems to have a lot of security benefits seems? to whom? to people who never wrote a line of code and don't understand how things work? -- Henning Brauer, hb@bsws.de [8], henning@openbsd.org [9] BS Web Services, http://bsws.de [10] Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
From: L. V. Lammert <lvl@...> Subject: Re: About Xen: maybe a reiterative question but .. [10]Date: Oct 24, 9:31 am 2007 On Wed, 24 Oct 2007, Henning Brauer wrote: > * adam.getchell@gmail.com [11] <adam.getchell@gmail.com> [2007-10-24 03:03]: > > Virtualization seems to have a lot of security benefits > > seems? > to whom? > Virtualization provides near absolute security - DOM0 is not visible to the user at all, only passing network traffic and handling kernel calls. The security comes about in that each DOMU is totally isolated from the the others, while the core DOM0 is isolated from any attacks. There is also a big benefit when maintaing VM images - restoring a VM in the case of corruption/attach/whatever is as simple as reloading a copy of that image and connecting to system data on the local SAN. Irrespective of the guest OS, there is good security between the virtualized machines. Running OBSD as the guest OS provides the best of both worlds, and it would be great if OBSD would run paravirtualized for the best performance, but apparently nobody has a need for that functionality. > to people who never wrote a line of code and don't understand how > things work? > Nobpdy has to write any code to understand that - the secuity benefits are ovbious to everyone from the PHBs to the admins. Of course, this is most obvious in 'enterprise space', which is pretty far removed from the typical OBSD world. Lee ================================================ Leland V. Lammert lvl@omnitec.net [12] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net [13] ================================================
From: Henning Brauer <lists-openbsd@...> Subject: Re: About Xen: maybe a reiterative question but .. [13]Date: Oct 24, 11:12 am 2007 * L. V. Lammert <lvl@omnitec.net> [2007-10-24 16:46]: > Virtualization provides near absolute security - DOM0 is not visible to > the user at all, only passing network traffic and handling kernel calls. > The security comes about in that each DOMU is totally isolated from the > the others, while the core DOM0 is isolated from any attacks. dream on. that is what marketing wants to tell you. in fact the isolation is incredibly poor. -- Henning Brauer, hb@bsws.de [14], henning@openbsd.org [15] BS Web Services, http://bsws.de [16] Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg & Amsterdam
From: L. V. Lammert <lvl@...> Subject: Re: About Xen: maybe a reiterative question but .. [16]Date: Oct 24, 1:48 pm 2007 At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: >* L. V. Lammert <lvl@omnitec.net> [2007-10-24 16:46]: > > Virtualization provides near absolute security - DOM0 is not visible to > > the user at all, only passing network traffic and handling kernel calls. > > The security comes about in that each DOMU is totally isolated from the > > the others, while the core DOM0 is isolated from any attacks. > >dream on. >that is what marketing wants to tell you. >in fact the isolation is incredibly poor. Sorry, the kernel hacking world is pretty far removed from 'enterprise reality' <not that it's a bad thing - I often wish it were that simple>!! In reality, there are tons of SMEs out there using MS Crap and other risky software! The few security risks you cite for XEN are negligable by comparison. Anything we can do to increase security, *including* setting up VMs (of any flavor) is an improvement [that also increased hardware utilization]. Lee
From: Theo de Raadt <deraadt@...> Subject: Re: About Xen: maybe a reiterative question but .. [16]Date: Oct 24, 2:03 pm 2007 > At 05:12 PM 10/24/2007 +0200, Henning Brauer wrote: > >* L. V. Lammert <lvl@omnitec.net> [2007-10-24 16:46]: > > > Virtualization provides near absolute security - DOM0 is not visible to > > > the user at all, only passing network traffic and handling kernel calls. > > > The security comes about in that each DOMU is totally isolated from the > > > the others, while the core DOM0 is isolated from any attacks. > > > >dream on. > >that is what marketing wants to tell you. > >in fact the isolation is incredibly poor. > > Sorry, the kernel hacking world is pretty far removed from 'enterprise > reality' <not that it's a bad thing - I often wish it were that simple>!! > In reality, there are tons of SMEs out there using MS Crap and other risky > software! The few security risks you cite for XEN are negligable by comparison. > > Anything we can do to increase security, *including* setting up VMs (of any > flavor) is an improvement [that also increased hardware utilization]. This last sentence is such a lie. The fact is that you, and most of the other fanboys, only care about the [that also increased hardware utilization]. The yammering about security is just one thing -- job security. You've got to be able to sell increased harwdare utilization in a way that does not hang you up at the end of the day. If people were saying: "Yes, it increased hardware utilization, and the nasty security impact might be low" it would be fine. But instead we have many uneducated people saying: "Yes, it increased hardware utilization, and it improved security too". And that's complete and utter bullshit.
From: L. V. Lammert <lvl@...> Subject: Re: About Xen: maybe a reiterative question but .. [16]Date: Oct 24, 2:41 pm 2007 At 12:03 PM 10/24/2007 -0600, Theo de Raadt wrote: > > Anything we can do to increase security, *including* setting up VMs (of > any > > flavor) is an improvement [that also increased hardware utilization]. > >This last sentence is such a lie. That depends on your viewpoint. There certainly may be some issues at the OS level (which have been mentioned previously), however the majority of VM applications benefit from security *isolation*, which has nothing to do with security issues of the underlying OS, and that was the viewpoint I was communicating. For example, say you have three departments within a company: Marketing, Development, Production. Allowing each department to maintain their own server instance allows each department to have their own users, home directory configuration, samba (possibly) network config & authorization, separate file/print sharing domain, etc. That is simple not doable with a single OS, yet with a reasonable priced of h/w all can be maintained on one platform. The security benefits are at the application level, *NOT* at the OS level. >If people were saying: > > "Yes, it increased hardware utilization, and the nasty > security impact might be low" > >it would be fine. > >But instead we have many uneducated people saying: > > "Yes, it increased hardware utilization, and it improved security > too". > >And that's complete and utter bullshit. Perhaps more correctly: "Yes, it increased hardware utilization, and it improves security/isolation between different work domains" However few outside this community would have any comprehension of the difference. Lee
From: Theo de Raadt <deraadt@...> Subject: Re: About Xen: maybe a reiterative question but .. [16]Date: Oct 24, 3:46 pm 2007 > The security benefits are at the application level, *NOT* at the OS level. What hogwash. The security benefits are at the "ability to buy a steak for dinner" level. You've already made the decision to decrease security by de-compartmentalizing onto one physical box, so you are just thrilled with the ability to decrease security more by de-compartmentalizing the software further.
From: L. V. Lammert <lvl@...> Subject: Re: About Xen: maybe a reiterative question but .. [16]Date: Oct 24, 4:31 pm 2007 On Wed, 24 Oct 2007, Theo de Raadt wrote: > > The security benefits are at the application level, *NOT* at the OS level. > > What hogwash. > > The security benefits are at the "ability to buy a steak for dinner" > level. > Nah, I like steak, I hate enterprise computing. > You've already made the decision to decrease security by > de-compartmentalizing onto one physical box, so you are just thrilled > with the ability to decrease security more by de-compartmentalizing > the software further. > Quite the opposite!! A VM provides a safe, sane, decently compartmentalized way to run a specific application domain. It's obvious we have different viewpoints, but both are equally valid - your's from the OS, mine from the application. Lee ================================================ Leland V. Lammert lvl@omnitec.net [17] Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net [18] ================================================
From: Kevin Stam <harpalus.como@...> Subject: Re: About Xen: maybe a reiterative question but .. [18]Date: Oct 24, 5:04 pm 2007 You have failed to satisfactorily explain why running a specific application in a VM is more secure then running it in a standard OS. It's nonsense that you think it's more secure that way. It saves a lot of money, yes -- you don't necessarily want a separate box just to run an application - but that's not the debate here. The debate is about security, and I'm amazed that you think a virtual environment is somehow more secure then a dedicated non-virtual environment. On 10/24/07, L. V. Lammert <lvl@omnitec.net> wrote: > > On Wed, 24 Oct 2007, Theo de Raadt wrote: > > > > The security benefits are at the application level, *NOT* at the OS > level. > > > > What hogwash. > > > > The security benefits are at the "ability to buy a steak for dinner" > > level. > > > Nah, I like steak, I hate enterprise computing. > > > You've already made the decision to decrease security by > > de-compartmentalizing onto one physical box, so you are just thrilled > > with the ability to decrease security more by de-compartmentalizing > > the software further. > > > Quite the opposite!! A VM provides a safe, sane, decently > compartmentalized way to run a specific application domain. It's obvious > we have different viewpoints, but both are equally valid - your's from the > OS, mine from the application. > > Lee > > ================================================ > Leland V. Lammert lvl@omnitec.net [19] > Chief Scientist Omnitec Corporation > Network/Internet Consultants www.omnitec.net [20] > ================================================
From: Theo de Raadt <deraadt@...> Subject: Re: About Xen: maybe a reiterative question but .. [20]Date: Oct 24, 5:41 pm 2007 > You have failed to satisfactorily explain why running a specific application > in a VM is more secure then running it in a standard OS. It's nonsense that > you think it's more secure that way. It saves a lot of money, yes -- you > don't necessarily want a separate box just to run an application - but > that's not the debate here. The debate is about security, and I'm amazed > that you think a virtual environment is somehow more secure then a dedicated > non-virtual environment. It's that extra 4MB of poo code, that is what makes it more secure. It's slippery and sticky at the same time, so that the application attackers slip and slide and fall into the page boundaries. If the actual hardware let us do more isolation than we do today, we would actually do it in our operating system. The problem is the hardware DOES NOT actually give us more isolation abilities, therefore the VM does not actually do anything what the say they do. While x86 hardware has the same page-protection hardware that an IBM 390 architecture machine has, modern PC machines are a mess. They are architecturally so dirty, that parts of the video, keyboard, and other IO devices are interfaced with even to do simple things like context switching processes and handling interrupts. Those of us who have experience with the gory bits of the x86 architecture can clearly say that we know what would be involved in virtualizing it, and if it was so simple, we would not still be fixing bugs in the exact same area in our operating system going on 12 years. We know what a VM operating system has to do to deal with the PC architecture. It is too complex to get perfectly right. And now you've entered into the layered approach where *any error* in the PC model exposed to the client operating system is not just a crashing bug -- it is now exploitable. It might be nice, but it is stupid. And anyone who thinks there is any security advantage at any level knows nothing about PC architecture.
Related links:
- Archive of above thread [20]
- Archive of above thread [20]