[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Xen support on Squeeze

Brian May <bam@snoopy.debian.net> writes:

> http://blog.orebokech.com/2007/05/xen-security-or-lack-thereof.html links to
> http://taviso.decsystem.org/virtsec.pdf.

> I don't know for certain this applies to KVM, however I would assume so.

Only to a certain extent. Nowadays Linux guests in KVM use virtio
for disk/network devices and you can disable most of the rest
(vga/cdrom, etc) if you only need a Xen replacement, leaving only a
few emulated devices.

You can additionally run the kvm processes unprivileged and chrooted
on the host, and in some distributions you can even sandbox them
using SELinux (Fedora/RHEL) or AppArmor (Ubuntu). Sadly, it seems
that Debian isn't quite there yet.

Also, it is my impression that QEMU receives much more attention now
that KVM is popular, so its security record will probably improve
over time.

Romain Francoise <rfrancoise@debian.org>

Reply to: