Re: security: the qemu agent command "guest-exec" may cause Insider Access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 08/25/2017 12:41 PM, Martin Kletzander wrote:
> On Fri, Aug 25, 2017 at 10:29:03AM +0000, Zhangbo (Oscar) wrote:
>>>
>>> Host can read all of the guest's memory or mount the image and modify
>>> the guest agent.  Or even add their own communication program that can
>>> do anything.
>>>
>>
>> I get your point now! :)  Thanks a lot!!
>>
>> Further more,  kvm seems not as secure as xen, because xen isolates
>> dom0 and domU well,
>> The administrator on dom0 couldn't access many things belonged to domUs.
>> How to solve such problem in kvm? Any scheme?
> 
> I don't know xen much, but maybe AMD SEV or everything-signed-by TPM
> would help...

I'm no HW guy, but SEV looks like protection against physical attacks,
i.e. a guy working for some government agency walking around your server
room with a load of liquid gas. At first Intel's SGX [1] looked
promising, but apparently it's flawed. So currently I don't think
there's anything we can do. Except not give out root access to everyone.

Michal

1: https://en.wikipedia.org/wiki/Software_Guard_Extensions

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux