> Hi Paolo, > thanks for the document. I read it briefly and the design itself seems > good however in the document you mentioned moving the logic from > user-space to kernel-space which I'm not sure how would you like to > achieve this since libvirt itself is in the user-space stack and not > kernel-space. For having some implementation of those things directly in > the kernel-space you would require to modify the kernel on the host > itself which would be very similar to Xen that requires modified kernel > - Xen kernel. This introduces some issues there since if you're not able > to make it be merged into the upstream kernel tree then you'll be having > the same issues like Xen does. If you implement this as a kernel-module > and also if you make the module upstream accepted then you'll be most > likely fine however you need to upstream acceptance of the module or > provide the source codes for the module somewhere to be recompiled for > the kernel the user is having. > > What exactly would you like to move to the kernel-space ? > > Thanks, > Michal > Hi Michal! Due to reduce the implementation time and verify quickly if our project is feasible, we decided to implement the prototype by using the simplest user-space applications (VTun, Open vSwitch). To increase the security, we would like to move in kernel-space all security components. We want to migrate from user to kernel space not by defining new kernel modules or by modifying the existing ones, but by using already defined applications that perform our security requirements in kernel spaces. For instance, we have defined an application which filters all received packets (by analyzing the VLAN tags) before that they are received by the switch. We think that the filtering may be executed by using the SELinux labels. About tunneling, we want to remove VTun from our framework and setup directly the 'gretap' interfaces. Any other questions are welcomed! Paolo -- PAOLO SMIRAGLIA Department of Control and Computer Engineering Polytechnic University of Turin Email: paolo.smiraglia@xxxxxxxxx
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list