Re: pv-grub?

To: port-xen%NetBSD.org@localhost
Subject: Re: pv-grub?
From: "Luke S. Crawford" <lsc%prgmr.com@localhost>
Date: Fri, 10 Feb 2012 14:08:37 -0500

On Fri, Feb 10, 2012 at 07:47:54PM +0100, Manuel Bouyer wrote:
> On Fri, Feb 10, 2012 at 01:42:13PM -0500, Greg Troxel wrote:
> > 
> > It seems there is "pv-grub", which is grub compiled to use
> > paravirtualized ops, and one can set that as the kernel for a domU so
> > that the actual domU kernel can be obtained from the domU filesystem;
> > this seems like a big win for a VPS setup where the user has no dom0
> > access.
> > 
> > But, i can't find pv-grub in pkgsrc; it seem it comes with xen.   Is
> > there a package?  Does it even work with a NetBSD dom0 (I would think it
> > wouldn't matter which dom0 one uses)?  Does it compile under NetBSD, or
> > is there a linux binary someplace?  Is anyone using it?
> 
> I've never heard of pv-grub, but we have pygrub which is part of all
> xentools* packages, and works with a NetBSD dom0. I never tried it for a
> NetBSD domU, but it works for linux domUs

pvgrub is far superior to pygrub for security reasons.  Besides the obvious
(pygrub is a python script running as root on the dom0 that the user
can input into, and that tries to pull files out of an untrusted block 
device without mounting that block device; obviously dangerous things.)  
there were recent vulnerabilities in the code that unzips the linux kernel;  
if you use pygrub or let the user upload DomU kernels to the Dom0, you 
are vulnerable.  If you use pvgrub?  the dom0 loads the (trusted) pvgrub 
kernel;  the user can break into pvgrub, sure, but that
is the running instance of pvgrub that runs within their xen guest,
so they can harm no one.

Pvgrub has the additional benefit of being able to call itself.   In
my vps setup, I tell pvgrub to first boot to (hd1,0)/boot/grub/menu.lst
which will sit for two seconds letting the user choose a read-only 
rescue image (the second drive is the read-only rescue drive)  
and after two seconds it calls pvgrub (hd0,0)/boot/grub/menu.lst
which is the menu.lst on the user's writable partition.  This way
there is no way the user can mess up the system to the point they can 
not get into the rescue image, but at the same time, the user can
write to the default menu.lst.   

All that said, as far as I can tell, if you do a source compile of 
xen somewhere, it'll build pvgrub for you; just copy the binary over
to the server you want to use pvgrub on.  It is run within the xen
guest, so it shouldn't matter if you compile it on linux or bsd or
whatever.

References:
- pv-grub?
  - From: Greg Troxel
- Re: pv-grub?
  - From: Manuel Bouyer

Prev by Date: Re: pv-grub?
Next by Date: Xen 4 DOM0 with -current i386/amd64 rejects kernel?
Previous by Thread: Re: pv-grub?
Next by Thread: Re: pv-grub?
Indexes:

Home | Main Index | Thread Index | Old Index