Just few notes: I believe that getting rid of QEMU is rather getting rid of PV domains than getting rid of QEMU itself.
* First, privilege elevation is not much a threat in Qubes. OTOH, VM escape is a fatal threat. * I believe QEMU vulnerabilities typically require some lowlevel access to devices, so those vulnerabilities typically don't allow you to elevate privileges within VM. The difference for most domains: In Q3.2, attacker needs a suitable vulnerability for PV domains implementation. In Q4.0, attacker either needs suitable vulnerabilities for both PV domains implementation and QEMU or a suitable vulnerability for hardware-virtualized domains implementation. In Q4.1, attacker will hopefully need a vulnerability in hardware-virtualized domains implementation. (For sake of simplicity, I consider shared parts as non-vulnerable, so I don't count potential vulnerabilities in GUI daemon, RPC services, hardware etc. I compare just the virtualization itself.) This might not be clear what is more secure. The reason behind the change is that HVM implementation is much less complex (and thus much less error-prone) than PV implementation. As a result, QubesOS 4.1 (or whatever version that brings PVH) is expected to be more secure that Qubes 3.2 and Qubes 4.0. The situation in Qubes 4.0 is a bit controversial, but if hardware-virtualization-specific vulnerabilities are rare (and I believe they are), it should be also an improvement (compared to Q3.2). Note that we cannot easily get rid of QEMU completely because of OSes like Windows, ReactOS or other fully-virtualized OSes. This brings a question: Can we get rid of PVs for stubdomains, for example by using PVH for stubdomain? I believe this would be consistent with the attitude of removing PV. I am not sure how hard/easy it is, though. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/f4f65015-9b85-42cd-b71f-1f967f30db1d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
