Reduce PV hypercall interface for Xen stubdomains

Description

OpenXT and Qubes use Linux stubdomains instead of mini-OS stubdomains. Linux is well supported, but larger than mini-OS and adds overhead for user/kernel switching. RedHat has experimental work underway for Linux unikernels.

Stubdomains use software-based (non-HAP) shadow page tables and are impacted by the L1TF vulnerability. They are exposed to the hypervisor’s entire PV interface that supports legacy guests. This is an impedance mismatch:

  • Stubdomain software is supplied by the platform provider and refreshed on the platform update cycle, not the guest refresh cycle

  • Stubdomains should not require legacy PV interface items that are provided to support old guests

  • Stubdomain security would improve with a much narrower, use-case specific hypervisor ABI

  • Hypervisor attack surface is increased with stubdomains, which add the PV hypercall interface to the guest's HVM hypercall interface

In OpenXT, XSM/Flask is able to restrict stubdomain access to a subset of Xen's PV hypercall interface, which takes effect when stubdomains are issued XSM labels by the toolstack. The XSM policy in upstream Xen will need policy written for Linux stubdomains and libxl will need to label them correctly.

Validation Steps

None

Assignee

Unassigned

Reporter

Rich Persaud

Labels

None

QA Assignee

None

QA Image URL

None

Epic Link

Priority

Major
Configure