Secure inter-domain communications: Argo vs historical methods
51 views
Skip to first unread message
John Smiley
Aug 10, 2019, 5:19:30 PM8/10/19
to qubes-devel
I’m curious what the Qubes dev community thinks of the Argo inter-domain comms introduced in 4.12. Is it worth considering as a replacement for the current methods used by Qubes?
Marek Marczykowski-Górecki
Aug 10, 2019, 6:23:40 PM8/10/19
to John Smiley, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
There are some key differences between Argo (previously called v4v) and
libxenvchan:
- Argo use hypercalls for data transfer - larger attack surface on the
hypervisor, but smaller on the target domain
- Argo copies the data between domains, instead of using shared memory,
which may result in worse performance (but libxenvchan copies the data
too, just in different places) - actual impact on performance is
unclear until properly tested
- Using hypervisor for data copy (Argo) could allow stricter policy
control, but that part is only partially done in upstream version
(there is vtables for old v4v version, but it isn't converted to Argo
yet)
- Argo is an upstream thing only recently, less tooling and drivers are
available (for example Linux part isn't upstream yet, not sure about
Windows)
OpenXT project is using v4v/Argo for a long time - this is where it was
developed. The third property listed above is very tempting and could
warrant a switch, but until it's really available, I don't think it's
worth switching. Also, to make it really worthwhile, memory sharing
between VMs (grant tables) would need to be limited/disabled. Which
would be tricky, as a number of Xen native mechanisms use them (network
devices, block devices) - something that OpenXT use in much less
flexible fashion than Qubes.
Some more info:
https://static.sched.com/hosted_files/xensummit19/92/Argo%20and%20HMX%20-%20OpenXT%20-%20Christopher%20Clark%20-%20Xen%20Summit%202019.pdf
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1PQ+QACgkQ24/THMrX
1yyiIQf/dfWO9jd9wwePMOENutgmMSTu7xytahO4mid6gFmf7YjouQhwIbhvUlcH
16ErljwmVB8SH52dMrXJUia10q7k/xfrsBw4+2NMyxrxdpAQ3dP2G6ZJjKJ/NUUJ
w3Sz5V945qopu0ziMNkL9lS7Ih+Px6NN7tKBwIZa2ORrPqK5hzNSDIL583CddcEU
9OS3cwxSANJ8PFqejomdR5y1CRGRXZa7y8w4oRFnhVDtyvy9TNgRmkCwllqUm5cx
6xFMF2HnDuw2VD6f4IYxCUE5Wbx1xvvst/8d/2fh+YpK3g1D5tiKRTIrnRbb8Oq4
f/1Kysna26N2lBDZYzo1ASPPQBOAeA==
=2Unc
-----END PGP SIGNATURE-----
Hash: SHA256
libxenvchan:
- Argo use hypercalls for data transfer - larger attack surface on the
hypervisor, but smaller on the target domain
- Argo copies the data between domains, instead of using shared memory,
which may result in worse performance (but libxenvchan copies the data
too, just in different places) - actual impact on performance is
unclear until properly tested
- Using hypervisor for data copy (Argo) could allow stricter policy
control, but that part is only partially done in upstream version
(there is vtables for old v4v version, but it isn't converted to Argo
yet)
- Argo is an upstream thing only recently, less tooling and drivers are
available (for example Linux part isn't upstream yet, not sure about
Windows)
OpenXT project is using v4v/Argo for a long time - this is where it was
developed. The third property listed above is very tempting and could
warrant a switch, but until it's really available, I don't think it's
worth switching. Also, to make it really worthwhile, memory sharing
between VMs (grant tables) would need to be limited/disabled. Which
would be tricky, as a number of Xen native mechanisms use them (network
devices, block devices) - something that OpenXT use in much less
flexible fashion than Qubes.
Some more info:
https://static.sched.com/hosted_files/xensummit19/92/Argo%20and%20HMX%20-%20OpenXT%20-%20Christopher%20Clark%20-%20Xen%20Summit%202019.pdf
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAl1PQ+QACgkQ24/THMrX
1yyiIQf/dfWO9jd9wwePMOENutgmMSTu7xytahO4mid6gFmf7YjouQhwIbhvUlcH
16ErljwmVB8SH52dMrXJUia10q7k/xfrsBw4+2NMyxrxdpAQ3dP2G6ZJjKJ/NUUJ
w3Sz5V945qopu0ziMNkL9lS7Ih+Px6NN7tKBwIZa2ORrPqK5hzNSDIL583CddcEU
9OS3cwxSANJ8PFqejomdR5y1CRGRXZa7y8w4oRFnhVDtyvy9TNgRmkCwllqUm5cx
6xFMF2HnDuw2VD6f4IYxCUE5Wbx1xvvst/8d/2fh+YpK3g1D5tiKRTIrnRbb8Oq4
f/1Kysna26N2lBDZYzo1ASPPQBOAeA==
=2Unc
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages