On Sun, Sep 27, 2015, at 06:22 PM, Matt Hamilton wrote: > > On 27 Sep 2015, at 22:57, Theo de Raadt <dera...@cvs.openbsd.org> wrote: > > > >>> On 27 Sep 2015, at 22:38, Eric Furman <ericfur...@fastmail.net> wrote: > >>> > >>> You really don't get it. Running OpenBSD in a VM gives you no > >>> security benefits of OpenBSD. Your base security will be your > >>> host, in this case FreeBSD. And on top of that you are running > >>> a very complex piece of software, the VM. Who knows what > >>> security holes are in it. > >> > >> > >> I do get it. I guess you wrote this before reading my last reply. That > >> explains the situation. > >> > >> Yes, the base security will be my host. Putting an OpenBSD VM on there > >> does not (IMHO) significantly decrease the security of that host. I > >> agree that it is adding complexities and there could be potentially > >> unforeseen security issues due to the combination. e.g. something like > >> OpenBSD's ability to generate random number could somehow be > >> affected by the underlying VM that would not be present on bare metal. > > > > Any additional code you run, beyond the minimum, increases your exposure > > Indeed. Which is why you are typing this on a typewriter, right? I mean, > I don’t know what editor you use, emacs, vi, mg, whatever… but that is > additional code right? That has increased your attack surface. But you > deem that an appropriate compromise to absolute security as you want > feature and convenience. > > > You are so clueless. It's amazing. > > > No. The fact that I have tried an experiment and have a setup that has > different priorities on it’s requirements to someone else’s setup or > requirements is not clueless. It is different. OpenBSD just does not > offer the functionality (e.g. a large, redundant filesystem, ala ZFS) I > need to get the job I want to do done on it’s own. So I need additional > software to achieve that. End of story. Yes it is a larger attack > surface, yes it is added complexity. I fully understand that. But I need > additional software to achieve my end goals. > > This thread started with someone who is starting to learn and wanted to > know which OS, OpenBSD or FreeBSD would be best for their requirements. I > don’t feel putting forward an idea that you could run OpenBSD as a VM and > have both is so unreasonable.
OK, I read your blog. I see you are running this on x86 hardware. X86 hardware provides NO real hardware virtualization. You are clueless. Your VM and OpenBSD in the configuration gives you NO added security. Just convenience. If that's all you care about, fine, but don't delude yourself into thinking that you are somehow adding security by running OpenBSD in this fashion. VM's give you no added security unless you are running them on hardware that has been designed for that purpose, such as IBM mainframes or the AS400. Probably some others I'm leaving out, but NOT x86 hardware. Just search for VM and security on the internets and see what comes up. Secure they are not.
