'[qubes-devel] Re: Running (or not) Xen during installation'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-devel
Subject:    [qubes-devel] Re: Running (or not) Xen during installation
From:       Joanna Rutkowska <joanna () invisiblethingslab ! com>
Date:       2016-11-05 8:46:05
Message-ID: 20161105084604.GC16325 () work-mutt
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Nov 03, 2016 at 09:13:26PM +0100, Marek Marczykowski wrote:
> Hi,
> 
> Currently Qubes OS installer is starting full Xen + Linux dom0 to
> perform installation. On one hand it is good, because it is obvious at
> this early stage if hardware is not compatible (especially display
> driver and its cooperation with Xen). But on another hand, it is IMHO
> much easier to fix such problems having the system already installed.
> When even installer does not start, in most cases the only alternative
> is trying other installer (in extreme case - building custom
> installation image). Also, starting Xen for installation require some
> effort when preparing the installer (see below).
> 
> Initially running Xen was needed because all qubes tools crashed when
> running without it - for example most of the tools do check running VM
> list and of course there is no such thing when running without Xen.
> But since Qubes OS 3.0, it is no longer the case - we have introduced so
> called "offline mode" to perform those few tasks (create initial
> qubes.xml, register installed template(s) etc) without need to launch
> libvirt daemon in chroot environment there. All the tasks really
> requiring Xen running are performed during first boot.
> 
> Long story short - technically Xen is no longer needed during
> installation of Qubes OS. Or at least is very close to such state.
> 
> So, now the question - do we want to keep launching Xen for
> installation, or launch just plain Linux?
> 
> Benefits of keeping Xen:
> - earlier (negative) confirmation of hardware compatibility
> - possibility of (re-)introducing later something that require Xen \
> running during installation
> - rescue mode have Xen running (but not libvirt), which may ease some
> tasks
> - no need to change anything related to ISO build, at least not right
> now
> 
> Benefits of dropping Xen:
> - no longer limited to 32MB of initrd for UEFI boot[1]
> - easier starting installation in non standard environment (network
> boot, non standard installation media)
> - ability to use almost any tool to write USB installation image (most
> of them, like unetbootin, generously setup a bootloader to launch
> _linux_ image found in the ISO image)
> - better changes to install on not perfectly compatible hardware and
> easier way to adjust the system afterwards (like - get at least
> command line access and upgrade the kernel)
> - less work when upgrading to new installer version (as part of
> upgrading dom0 distribution)
> 
> [1]
> https://github.com/QubesOS/qubes-issues/issues/794#issuecomment-135988806
> 
> PS I'm writing this exactly because of the ticket linked above - I hit
> this problem again when building some Qubes OS 4.0 test images...
> 

In the long term, we would like to maintain *full* isolation of most of the \
PCIe devices (so DMA and MSI capable) from the TCB (perhaps except for the \
MCH pseudo devs).

This should be maintained throughout the whole boot process, starting from \
the reset vector. I don't think running Linux would allow us to achieve \
that. So, we should aim at keeping Xen, and in the future, when we have \
better firmware to work with (Coreboot?) make sure that at no point in time \
any of the untrusted PCIe, such as your WiFi NIC, can interfere with the \
boot process.

joanna.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJYHZxMAAoJEDOT2L8N3GcYXSwP/1adPL/1OCEV1BVsnBiNvTsf
gNdYZcND3sWdT7185d9W/seUvQiW5QHcr9tJd0uoI/2WSNMeDVU6oyLRW2AdcUZu
IDgyjhqq1EFRorVqyIcXg23Xv25wcM5KqsxqZqLseGyUIB7+zlJMFK9meBYsD2VJ
XTRl0CnevBkX6cdDUWejz7iDj4X2PUehe+onkAK0ptBfudqsiw9WGhEDQB5A/BJC
LK3weIeVckZ6tgfqzljWA3c7MwFb6NY8j+A28gU2oSWssKauIeny9vTtsD2p+63h
MSzvBQSQWO+mfeXnB4ZfDPARnZ54+A3mWGY3pb3sT55+e8jR5LKao29pDoAqRrod
M911vht2PSWoQwWxTZ9QdRrX9ykBju+yHbgqRSFIyVl/1kdW5vS84xUP7t790sMO
4DvaoyOYYoz+hHPKmCdX5JFZDaLQKPI5l9aYcZdkrVxtFg4GMPvEg1AE/JMP+pm/
mcbZqDXhNbkgEbhVMDpM6LnKTkbHITgL1Jr6OUuIErqj57nAsGe99woRtUmrZfzU
z6/ZNwQFjgyFg4IC3dRqPK0Mrd4pbI3Cs8VPNO9dGQBObCE6WeUgRU78Wh/Xj0pU
Cqcrvz7EsgdCvi2E3x2DCjPsBzmm4WG3K+Xt7fmivBY+dzornwzN9iHABIBxkRjV
AvLXdvygO4jKP/etHBfX
=E7HD
-----END PGP SIGNATURE-----

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-devel" group. To unsubscribe from this group and stop receiving \
emails from it, send an email to qubes-devel+unsubscribe@googlegroups.com. \
To post to this group, send email to qubes-devel@googlegroups.com. To view \
this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-devel/20161105084604.GC16325%40work-mutt.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic