Re: [Xen-devel] Enabling domU to create other domUs - Ian Jackson - com.xensource.lists.xen-devel

8 messages in com.xensource.lists.xen-develRe: [Xen-devel] Enabling domU to crea...

From	Sent On	Attachments
Hayawardh V	07 Jul 2008 10:14
Derek Murray	08 Jul 2008 09:24
Ian Jackson	08 Jul 2008 10:19
Hayawardh V	08 Jul 2008 19:45
Cihula, Joseph	08 Jul 2008 21:10
Ian Jackson	09 Jul 2008 05:37
Hayawardh V	10 Jul 2008 05:45
Hayawardh V	04 Sep 2008 08:16

Subject:	Re: [Xen-devel] Enabling domU to create other domUs
From:	Ian Jackson (Ian....@eu.citrix.com)
Date:	07/09/2008 05:37:43 AM
List:	com.xensource.lists.xen-devel

Cihula, Joseph writes ("RE: [Xen-devel] Enabling domU to create other domUs"):

If you're up for doing some work, I'd recommend that approach as it will not only solve your problem but also bring the community a step closer to a de-privileged dom0.

I agree with this (although the original enquirer may find that this is not necessarily the most expedient path to solving their problem).

Hayawardh V writes ("Re: [Xen-devel] Enabling domU to create other domUs"):

On Tue, Jul 8, 2008 at 12:25 PM, Derek Murray <Dere...@cl.cam.ac.uk> wrote:

[...] you could probably conjure up a Xen Security Module that enforced hierarchical privilege, but you would probably still have to modify the tools.

I would not recommend using the Xen Security Modules arrangements. There are quite a few bugs in this code, including some very serious security bugs (which sadly we aren't allowed to give more information about as the reports were embargoed).

Unfortunately turning on the XSM support is likely to result in a substantially less secure system.

Ian.