Questions about qubes s hypervisor of choice.
113 views
Skip to first unread message
blacklight
Oct 19, 2017, 4:28:01 AM10/19/17
to qubes-devel
We all know well why xen was chosen as the hypervisor for qubes instead of kvm, since this has been stated in multiple places by the devs. But i wonder how feasable it would be to use bhyve as a hypervisor for qubes. Ive read that it only uses roughly 30k lines of code, so its smaller then xen which is good since less code means less attack surface right? and seems to support vt-d and vt-x. Also its made by the freebsd theme, which are known for the high coding standards. Would it be possible to run qubes with bhyve instead of xen? If not, why?
I would love some info on this :)
Greetings, blacklight447
(P.S. i posted this in both qubes users and devel because is wasnt sure where these kind of questions should be posted, feel free to correct me if needed)
je
Oct 27, 2017, 1:09:07 AM10/27/17
to qubes-devel
Bhyve has a similar architecture than KVM. bhyve has maybe only 30k lines of code, but it requires FreeBSD to work, because bhyve reuses functionalities from the kernel. Therefore, it is not enough to count only the lines of code of bhyve you have to add all the lines of code from the FreeBSD kernel.
> Less code means less attack surface right?
Less code does not mean a smaller attack surface. Using lines of code as a measurement can be quite problematic, because the lines of code do not say anything about: the code quality, test coverage or documentation of the code. For example, you can write an entire program in C in one single line of code. Which results in code which is hard to read. On the other hand a one can write small amount of code and then add hundreds of lines of code of tests and documentation to a project.
> Would it be possible to run Qubes with bhyve instead of Xen?
Yes, it would be possible to use bhyve instead of Xen. The explicit partitioning security model does not rely on a particular hypervisor as Joanna Rutkowska pointed out in this blog post: https://www.qubes-os.org/news/2017/10/03/core3/ . The only requirement for the explicit partitioning security model is the isolation of domains (compartment). However, the problem in using bhyve from a practical perspective is the amount of work which would be necessary to port all the tools to FreeBSD and integrate them with bhyve. Unless you or somebody else takes the time to integrate the GUI agent, file copy and move tools etc. for bhyve, using Qubes together with bhyve is not possible.
> Less code means less attack surface right?
Less code does not mean a smaller attack surface. Using lines of code as a measurement can be quite problematic, because the lines of code do not say anything about: the code quality, test coverage or documentation of the code. For example, you can write an entire program in C in one single line of code. Which results in code which is hard to read. On the other hand a one can write small amount of code and then add hundreds of lines of code of tests and documentation to a project.
> Would it be possible to run Qubes with bhyve instead of Xen?
Yes, it would be possible to use bhyve instead of Xen. The explicit partitioning security model does not rely on a particular hypervisor as Joanna Rutkowska pointed out in this blog post: https://www.qubes-os.org/news/2017/10/03/core3/ . The only requirement for the explicit partitioning security model is the isolation of domains (compartment). However, the problem in using bhyve from a practical perspective is the amount of work which would be necessary to port all the tools to FreeBSD and integrate them with bhyve. Unless you or somebody else takes the time to integrate the GUI agent, file copy and move tools etc. for bhyve, using Qubes together with bhyve is not possible.
Reply all
Reply to author
Forward
0 new messages