←back to thread

Qubes OS: A reasonably secure operating system

(www.qubes-os.org)
441 points ploggingdev | 8 comments | 19 Nov 17 16:06 UTC | HN request time: 0.432s | source | bottom
Show context
snvzz ◴[19 Nov 17 17:00 UTC] No.15734641[source]
Their weakest point is the hypervisor, Xen, which while a better choice than Linux/KVM, is still extremely bloated and has a poor security history.

Thankfully, better designs such as seL4's VMM do exist, although it might need a little more work [1] until usable for the purpose.

[1] https://sel4.systems/Info/Roadmap/

replies(6): >>15734676 #>>15734739 #>>15734803 #>>15734841 #>>15734956 #>>15735067 #
1. dijit ◴[19 Nov 17 17:07 UTC] No.15734676[source]
Could you clarify "Better choice"?

I've been using KVM/Xen/VMware for some time and always enjoyed it. And since Amazon and Google especially are going all in on KVM I'm surprised to hear the Xen is a better choice.

replies(2): >>15734758 #>>15734812 #
2. hennsen ◴[19 Nov 17 17:20 UTC] No.15734758[source]
Amazon is going KVM?
replies(1): >>15734776 #
3. hennsen ◴[19 Nov 17 17:22 UTC] No.15734776[source]
Ah - https://www.theregister.co.uk/2017/11/09/aws_deletes_new_hyp...

Sorry for not googling before asking...

4. snvzz ◴[19 Nov 17 17:28 UTC] No.15734812[source]
>Could you clarify "Better choice"?

KVM is, like VMware, a Type 2 hypervisor. [1]

Xen is a proper Type 1 hypervisor.

[1] https://microkerneldude.wordpress.com/2010/10/14/much-ado-ab...

replies(3): >>15734912 #>>15735038 #>>15736268 #
5. theossuary ◴[19 Nov 17 17:43 UTC] No.15734912[source]
Why is a type 1 hypervisor instantly considered more secure though? I'd assume using Linux, instead of rolling your own code to interface with hardware, would make you more secure?
replies(1): >>15735096 #
6. aleden ◴[19 Nov 17 18:11 UTC] No.15735038[source]
It should be noted that KVM supports many different archs, and it lives inside the mainline Linux kernel while VMware's kernel modules are out-of-tree. I think this fact is an important difference (also that qemu-system-* are open-source, while vmware is not).
7. snvzz ◴[19 Nov 17 18:24 UTC] No.15735096{3}[source]
In the Linux vs Xen example, the TCB is much bigger with Linux. The idea is to keep the TCB as small as possible, with an emphasis on restricting the code size that's actually running privileged.
8. monocasa ◴[19 Nov 17 22:19 UTC] No.15736268[source]
sel4's virtualization support make it a type 2 hypervisor. Akaros too, which IMO has the right model for virtualization with it's 'VM threads' concept. All 'type 2' really means is that the kernel directly supports running threads in ring 3 in addition to ring 0.

I guess it's your use of 'proper' that bugged me.