On 2015-04-27 10:35, Uri Lublin wrote:
On 04/27/2015 11:38 AM, Frediano Ziglio wrote:
A secure clipboard is nice to have becuase there's no tradeoff
between
convenience and safety. A vm can read the global clipboard only when
you
want it. The Xen based Qubes has it and I don't see why KVM's spice
and
libvirt can't. Here is how they did it:
slide 10 from
https://events.linuxfoundation.org/sites/events/files/slides/LinuxCon_2014_Qubes_Tutorial.pdf
Challenge: copy clipboard from VM Alice to VM Bob, dont let VM
Mallory to learn
its content in the meantime
Solved by introducing Qubes global clipboard to/from which
copy/paste is
explicitly
controlled by the user (Ctrl-Shift-C, Ctrl-Shift-V)
Requires 4 stages:
Ctrl-C (in the source VM)
Ctrl-Shift-C (tells Qubes: copy this VM buffer into global clipboard)
Ctrl-Shift-V (in the destination VM: tells Qubes: make global
clipboard
available to this VM)
Ctrl-V (in the destination VM)
Ctrl-Shift-C/V cannot be injected by VMs (unspoofable key combo).
In practice almost as fast as traditional 2-stage copy-paste (dont
freak
out! ;)
Thanks for suggesting that.
Thanks for your interest.
More technical explanation
https://www.qubes-os.org/doc/CopyPaste/
Would not easier for user and for us to implement just Ctrl-Shift-C/V
?
Frediano, I'm not following what you suggest here.
Do you mean implement just one operation of the two ?
Today we have two-stage copy/paste support: following steps 1 and 4
above. Note that those steps involve applications on
the guest.
Steps 2,3 are done automatically when clipboard operation is requested.
The suggestion is to do steps 2,3 only upon specific request.
The idea is:
- spice client see the Ctrl-Shift-C
- spice send a command to agent
- agent inject a Ctrl-C to copy to guest clipboard
- agent detect new clipboard and copy to global one (as it knows was a
Ctrl-Shift-C)
Or could be implemented by spice client instead of the agent (just
having a vm clipboard copied from the agent and a global one)
Thanks,
Uri.
The same concept can be applied to file drag n' drop feature in spice
for safe interVM and guest-host file copying. Its too early to mention
but it can help in the planning phase to make a generic solution for
other data
and not just text.
Spice already has a drag and drop implementation of its own so I'm
citing qubes design docs about secure filecopy out of interest not
relevance. The architecture is different and relies on shared intervm
memory and converting the data into a cpio-like format. Similar to xen
shared memory is the KVM device ivshmem.
https://www.qubes-os.org/doc/Qfilecopy/
https://www.qubes-os.org/doc/CopyingFiles/
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel