Xen, FC5 & Security

Fedora Core 5 seems to be shaping up well, with the integration of Xen for virtualization. It’s pretty simple to get Xen up and running now with Fedora: just install FC5 Test 2 and follow the instructions at the Fedora Xen Quickstart page. You can manually install the hypervisor & Xen kernel, or let anaconda handle it by adding ‘xen0’ to the end of the kernel command line. Adding guests is trivial with Jeremy’s magic guest installer script.

Here’s a screenshot of a graphical guest install via VNC (click for full size):

Xen guest install via VNC

I only ran into a couple of problems:

  • The installer script is picky about the amount of memory available, and won’t proceed with less than 256MB allocated for the guest. This is not unreasonable, but I only have 512MB of memory on my laptop and the system wasn’t happy until I reduced Dom0’s memory to 192MB (using dom0_mem=192M as a hypervisor boot option).
  • I had to make sure that the primary network interface was eth0, as there’s quite a lot of work yet to do on the Xen networking scripts.

There’s a fedora-xen mailing list for users and developers.

From a security point of view, Xen is interesting in a number of ways. The simplest and perhaps most powerful is simply being able to run different services in different virtual machines, each locked down to the bare minimum for each task. On the same physical hardware, you can have say, a virtual machine for your web server and another for DNS. This provides strong logical security separation at a high level, while each of these VMs can be secured at the OS level with the fine-grained SELinux controls.

There seems to be a lot of research interest in security models for the hypervisor itself. The Xen tree includes a port of the sHype access control framework, which allows different models to be implemented in a similar manner to LSM. This is fun stuff, and certainly interesting for some very specific usage scenarios, but it’s not entirely clear to me yet how such a security framework can be made more generally useful.