Post ASU9CHQcwXwkSGAPey by Nukular@chaos.social
(DIR) More posts by Nukular@chaos.social
(DIR) Post #ASSvlY2bZqM7b3tTay by mjg59@nondeterministic.computer
2023-02-08T09:39:41Z
0 likes, 0 repeats
All I want is a tiny x86 hypervisor I can launch from UEFI, have it segment off a small amount of RAM and then pass all (well, almost all) the hardware back to the firmware, and then let me boot Linux except I've now got a little enclave I can run my own code in
(DIR) Post #ASSw6YwHQwW4SlxK8e by promovicz@chaos.social
2023-02-08T09:43:25Z
0 likes, 0 repeats
@mjg59 I would love something similar - just a simple VM multiplexer that I can run several normal systems on. Kinda like Qubes, but without all the dead weight.
(DIR) Post #ASSwOlR7htQSR53soq by mjg59@nondeterministic.computer
2023-02-08T09:46:56Z
0 likes, 0 repeats
Xen doesn't really do this, because dom0 is more privileged than the domUs whereas I basically want the equivalent of a domU that *can't* be subject to introspection from the dom0
(DIR) Post #ASSwgXpL2raJRIrmYi by mjg59@nondeterministic.computer
2023-02-08T09:49:51Z
0 likes, 0 repeats
@josh Hmm possibly but I'd have to add AMD support for my specific case (which is very much a me problem, so that's ok)
(DIR) Post #ASSwnW4rwqh82ZSHk8 by erincandescent@queer.af
2023-02-08T09:50:13Z
0 likes, 0 repeats
@mjg59 I do wonder how much complexity/how many security holes you end up with when you pass through enough APIs to dom0 to enable virtio & such to work(for dom0 controlled VMs, not for "secure enclaves", ofc)
(DIR) Post #ASSwvWsIrqx4pWOleq by fincham@cloudisland.nz
2023-02-08T09:52:16Z
0 likes, 0 repeats
@mjg59 insert wifi sd card
(DIR) Post #ASSx3SeqQkWY4FsxzE by mjg59@nondeterministic.computer
2023-02-08T09:53:19Z
0 likes, 0 repeats
@josh I think I actually looked at ACRN for this a few years back, but at the time it felt like a code dump rather than a maintained project, so nice to see it's still going!
(DIR) Post #ASSxJH8V2GXmy1IUGe by promovicz@chaos.social
2023-02-08T09:56:17Z
0 likes, 0 repeats
@mjg59 You could mock this with Xen by using a custom dom0 ramdisk that ignores most devices, forcibly passes them to a domU, largely deletes itself afterwards and offers no login or any further interaction. It's not what you ask for, but it might be easier to achieve.
(DIR) Post #ASSxRRqd5qV4VPpsIq by mjg59@nondeterministic.computer
2023-02-08T09:58:26Z
0 likes, 0 repeats
@promovicz I think this is actually tough - it's not just passing through devices, it's passing through the entire platform (with minor restrictions). Eg, laptop hotkeys sending stuff via WMI still need to end up generating events in the OS environment.
(DIR) Post #ASSxZVQheyqvvnYEJE by mjg59@nondeterministic.computer
2023-02-08T09:59:26Z
0 likes, 0 repeats
@josh Hrm. Actually, no, this isn't quite what I want. Rather than launching a service VM, I want it to just launch Linux.
(DIR) Post #ASSxhhhxtQVOKRXBk8 by darkling@mstdn.social
2023-02-08T10:01:27Z
0 likes, 0 repeats
@mjg59 When you say "can't", is that in the sense of "this particular set of code in the dom0 doesn't have the capability", or "if someone injects a rootkit into my dom0, it still can't read the domU"?
(DIR) Post #ASSxsqzZiQAiJA5Vcu by byterhymer@mastodon.social
2023-02-08T10:03:26Z
0 likes, 0 repeats
@mjg59 Agreed, it is actually tough. Doesn't mean it isn't worthwhile!AFAIK, neither bhyve, nor OpenBSD's vmm, nor bitvisor have attempted to run that low level.Still, makes me think back to Amax II on the Amiga (with its microkernel) could run Mac software *faster* than Mac hardware; something I've never seen in any emulator or hypervisor since. ;-/ If only microkernel OSes were more popular? (U)EFI seems bloated as contrasted with (OK)L4 & AST hates what Intel did with Minix. @promovicz
(DIR) Post #ASSy0ORNkktk4dgoIy by mjg59@nondeterministic.computer
2023-02-08T10:03:30Z
0 likes, 0 repeats
@darkling The latter
(DIR) Post #ASSy98DHSJfILrGCZc by mjg59@nondeterministic.computer
2023-02-08T10:05:15Z
0 likes, 0 repeats
@byterhymer @promovicz Right, I just don't think trying to do it with existing passthrough primitives is the right approach. I'm fine with basically everything except the RAM used by the hypervisor, the protected enclave VM, and the iommu being given directly to the OS VM
(DIR) Post #ASSyGoqPLvnIb3EAe8 by promovicz@chaos.social
2023-02-08T10:06:25Z
0 likes, 0 repeats
@mjg59 True. As you doubtless know that will get you into having to take care of drivers. I experiment with stuff like this on occasion and have been sticking to KVM because it makes for a simpler host (Linux vs Xen+Linux). Simpler would of course be better, but then my goal is just to be "better" than Qubes.
(DIR) Post #ASSyOqFlzuOPHduwgS by deetwenty@todon.nl
2023-02-08T10:08:45Z
0 likes, 0 repeats
@mjg59 I think to do that you would need to shadow both the MMU and IOMMU (and both are required otherwise an "attacker" can just tell a driver to DMA your protected zone), but once you have that the rest should be "simple"
(DIR) Post #ASSyVBEyseGy6zZMVk by mjg59@nondeterministic.computer
2023-02-08T10:08:48Z
0 likes, 0 repeats
@promovicz My model here is the Hyper-V approach that Microsoft take for things like Credential Guard - as far as the drivers are concerned, they're all speaking to the real hardware (because all the hardware address ranges are mapped through directly)
(DIR) Post #ASSycBZY2sbFASWup6 by darkling@mstdn.social
2023-02-08T10:10:30Z
0 likes, 0 repeats
@mjg59 I've got no expertise in this area at all, but that sounds... really hard? You've got some mechanism (implied: in the dom0) forbidding the domU from accessing some RAM (so, I'd guess, veto over page table requests). You'd then need something that forbids the dom0 from doing the same thing back to the domU.
(DIR) Post #ASSyiMsEwK7hxLDkdE by mjg59@nondeterministic.computer
2023-02-08T10:11:03Z
0 likes, 0 repeats
@darkling Right, this is why Xen just doesn't work for what I want
(DIR) Post #ASSypPuq1orLPwnUqu by darkling@mstdn.social
2023-02-08T10:11:54Z
0 likes, 0 repeats
@mjg59 So, they're effectively siblings at that level -- mutually able to veto the other's access to their own page tables.Either that, or there's some trusted mechanism even higher (hardware?) that allows the two slices of the machine to coexist without ever knowing about each other.
(DIR) Post #ASSypQym4fbOiRe9cu by mjg59@nondeterministic.computer
2023-02-08T10:12:47Z
0 likes, 0 repeats
@darkling The hypervisor mediates that. The problem with Xen's approach is that dom0 is treated as privileged not only with regard to accessing the hardware, but also with regard to accessing other VMs. That's not an inherent property of type 1 hypervisors.
(DIR) Post #ASSz0wBsN6jahYGBXM by gpshead@infosec.exchange
2023-02-08T10:16:08Z
0 likes, 0 repeats
@mjg59 this smells like System Management Mode. Which UEFI firmware should be doing, but I'd be surprised if it allowed loading other code into SMM.
(DIR) Post #ASSzEHlxRRz9OwVB5s by darkling@mstdn.social
2023-02-08T10:18:32Z
0 likes, 0 repeats
@mjg59 Aaah, yes, I'd forgotten that dom0 in Xen isn't the hypervisor itself. If you trust the hypervisor, then of course it *could* do exactly what you want, but doesn't in Xen's case.I said I didn't have expertise in this area, and now I've proved it. :catmoji_grin:
(DIR) Post #ASSzLFUALKRMKrV4L2 by mjg59@nondeterministic.computer
2023-02-08T10:18:41Z
0 likes, 0 repeats
@gpshead Ooh yeah there's no way to get anything else in there (Intel had a program at one point for letting you run your own code on the Management Engine, but cancelled it several years back)
(DIR) Post #ASSzRLjq0ZZrSvjvFI by mjg59@nondeterministic.computer
2023-02-08T10:19:27Z
0 likes, 0 repeats
@darkling Yup, that's exactly the problem. The closest things I've found are examples of having a hypervisor whose job it is to backdoor Windows…
(DIR) Post #ASSzZcF4X0mcy4I60u by xenproject@floss.social
2023-02-08T10:20:17Z
0 likes, 0 repeats
@mjg59 You want HyperLaunch: https://youtu.be/9TIUZTm2Fy4
(DIR) Post #ASSzZebTkftYI8n1DU by xenproject@floss.social
2023-02-08T10:21:20Z
0 likes, 0 repeats
@mjg59 Wiki hasn't been updated in a few years, but the work is making steady progress: https://wiki.xenproject.org/wiki/Hyperlaunch
(DIR) Post #ASSzhC3Hn0ca3cOJtY by darkling@mstdn.social
2023-02-08T10:22:16Z
0 likes, 0 repeats
@mjg59 I wonder if there's some (preferably academic PoC) malware out there that you could repurpose?
(DIR) Post #ASSzpREzCabjTsnNZo by promovicz@chaos.social
2023-02-08T10:24:10Z
0 likes, 0 repeats
@mjg59 Sure - that does make sense. It might be possible to configure one of the smaller hypervisors (xVisor, ACRN) like that. And I guess we wouldn't know about corner-cases without trying... it should work, shouldn't it?
(DIR) Post #ASSzwqIORl3xDMv572 by mjg59@nondeterministic.computer
2023-02-08T10:25:02Z
0 likes, 0 repeats
@xenproject Sounds interesting! I'll look into it.
(DIR) Post #AST05TcQ81yDUPP86a by xenproject@floss.social
2023-02-08T10:27:35Z
0 likes, 0 repeats
@mjg59 @darkling Xen has Flask, which is the equivalent of SELinux. You can use this to set up a non-omnipotent dom0.
(DIR) Post #AST0W1VakWX47sruz2 by akendo@chaos.social
2023-02-08T10:32:49Z
0 likes, 0 repeats
@mjg59 have you heard/try of LinuxBoot[0]?[0]: https://www.linuxboot.org/
(DIR) Post #AST1IvAr5bVSfaUAbo by mjg59@nondeterministic.computer
2023-02-08T10:41:46Z
0 likes, 0 repeats
@akendo Yes - it doesn't solve this problem (it lets me run Linux in the firmware, but using Linux as a hypervisor means that the hypervisor is going to be driving a bunch of the hardware, which isn't what I want)
(DIR) Post #AST9hGxYXgNsosO5y4 by aruediger@mastodon.world
2023-02-08T12:15:38Z
0 likes, 0 repeats
@mjg59 Sounds like a job for SEL4. In phones it’s used to isolate the baseband processor. Might work for this use case, too.
(DIR) Post #ASTAnlx2KSSgd7o9I0 by arafel@mas.to
2023-02-08T12:28:03Z
0 likes, 0 repeats
@mjg59 Out of interest, what do you want this for? Depending on the threat model it may not be enough.
(DIR) Post #ASTCOhrSb8iUc8NJD6 by tklengyel@discuss.systems
2023-02-08T12:45:48Z
0 likes, 0 repeats
@mjg59 Xen has a new mode called dom0less, you might want to check that out https://xenbits.xen.org/docs/unstable/features/dom0less.html
(DIR) Post #ASTGqQasn60Qz95xFg by ncweaver@thecooltable.wtf
2023-02-08T13:35:38Z
0 likes, 0 repeats
@mjg59 Its the "not subject to introspection from the more-priveledged part" that is hard hard hard. Intel tired that basically with SGX, and gave up on it as being an abject failure.
(DIR) Post #ASTHiKFqZmwAxgxLRw by mxk@hachyderm.io
2023-02-08T13:45:22Z
0 likes, 0 repeats
@mjg59 have you had a look at jailhouse? It's a rather small static partitioning hypervisor and comes with way simpler setup than turning your main system into a xen dom0https://github.com/siemens/jailhouse
(DIR) Post #ASTXssCqnXjiQJbdTM by Rairii@haqueers.com
2023-02-08T16:46:42Z
0 likes, 0 repeats
@mjg59 i mean theoretically hyper-v (with its virtual trust levels) can do thiswould be interesting to see someone who isn't MS reimplement the public hyper-v spec
(DIR) Post #ASTdi3w9RWV9LS1VVg by mjg59@nondeterministic.computer
2023-02-08T17:52:06Z
0 likes, 0 repeats
@ncweaver in the case I want, neither vm is more privileged (other than one having access to the hardware)
(DIR) Post #ASTfSsuKMqzYhc3osy by alx@mastodon.mit.edu
2023-02-08T18:11:00Z
0 likes, 0 repeats
@ncweaver @mjg59 What do you want to do with the enclave, though? I imagine it will be subject to the same kinds of side-channel attacks as SGX.
(DIR) Post #ASTfStsaknCJiWFwoq by mjg59@nondeterministic.computer
2023-02-08T18:11:41Z
0 likes, 0 repeats
@alx @ncweaver that's still significantly better than no barriers at all
(DIR) Post #ASTjJ7guwlw1TSOBDE by gpshead@infosec.exchange
2023-02-08T18:54:33Z
0 likes, 0 repeats
@mjg59To be fair, the security vulnerabilities in Intel and AMD management engine coprocessors count as undodumented APIs per Hyrum's Law... 😅
(DIR) Post #ASU9CHQcwXwkSGAPey by Nukular@chaos.social
2023-02-08T23:44:43Z
0 likes, 0 repeats
@mjg59 I think something like jailhouse could maybe do that but you'd have to launch it from something like Linuxboot if you want it from efi
(DIR) Post #ASU9nf6DtkwMaERqfw by mjg59@nondeterministic.computer
2023-02-08T23:51:44Z
0 likes, 0 repeats
@mxk I don't want to devote an entire CPU to it, so I do need something that supports some level of scheduling