On Mon, Nov 23, 2015 at 11:15 AM, Thomas Leonard <[email protected]> wrote:
> QubesOS is a security-focused desktop OS that runs multiple isolated > VMs under Xen. Typically, these run Linux. For example, I use a Fedora > VM for email and a Debian VM for development. > > There is discussion on the qubes mailing list at the moment about > using unikernel VMs: > > https://groups.google.com/forum/#!topic/qubes-users/h03-1hiNMCc > > I've written a simple test unikernel [1] that supports Qubes' qrexec > protocol. This allows other domains to send command requests to the > VM. If approved by the dom0 policy, a two-way channel (stdin/stdout) > is established between the requesting VM and the unikernel. qrexec is > built on top of vchan, which was easy to support thanks to David > Scott's ocaml-vchan library. > A small nitpick: although I've written a lot of vchan code recently, the original fully-working version was by Vincent Bernadoff (vbmithr on github) Apart from that, awesome -- makes me want to buy a PC laptop and install Qubes :-) Cheers, Dave > > I've also written a tool [2] to let you upload unikernels built in an > AppVM to dom0 and run them easily. > > For example: > > $ mirage configure --xen > $ make > $ test-mirage mir-qubes-test.xen > Waiting for 'Ready'... OK > Uploading 'mir-qubes-test.xen' (4187256 bytes) > Waiting for 'Booting'... OK > --> Creating volatile image: > /var/lib/qubes/appvms/mirage-test/volatile.img... > --> Loading the VM (type = AppVM)... > --> Starting Qubes DB... > --> Setting Qubes DB info for the VM... > --> Updating firewall rules... > --> Starting the VM... > --> Starting the qrexec daemon... > Waiting for VM's qrexec agent.connected > MirageOS booting... > Initialising timer interface > Initialising console ... done. > info: Starting qrexec agent; waiting for client... > info: Got connection > info: Handshake done; client version is 2 > > It currently offers "echo" and "quit" services. e.g. from dom0: > > [tal@dom0 bin]$ qvm-run -p --nogui mirage-test echo > Hi user! Please enter a string: > Hello > You wrote "Hello". Bye. > > If anyone is interested in helping out, let me know! I've added a > pioneer project [3] to replace their existing FirewallVM with a Mirage > unikernel, as one possibility. We also need basic QubesDB support and > some kind of GUId so that Qubes will believe the VM has started (it > assumes every VM provides a GUI currently). > > > [1] https://github.com/talex5/qubes-test-mirage > [2] https://github.com/talex5/mirage-qubes > [3] > https://github.com/mirage/mirage-www/wiki/Pioneer-Projects#qubes-firewallvm > > > -- > Dr Thomas Leonard http://roscidus.com/blog/ > GPG: DA98 25AE CAD0 8975 7CDA BD8E 0713 3F96 CA74 D8BA > > _______________________________________________ > MirageOS-devel mailing list > [email protected] > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel > -- Dave Scott
_______________________________________________ MirageOS-devel mailing list [email protected] http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
