-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On Fri, Mar 03, 2023 at 01:41:56PM +0100, Keno Goertz wrote: > Hello everyone, > > I'm writing because I'm interested to work on FreeBSD jails as an > alternative to Xen for isolation in QubesOS. And I have some questions > about it, that someone on this list can maybe find the time to answer. > > I recently learned about FreeBSD's jails, which provide isolation > similar to a chroot environment, but with proper virtualization of the > file system, the set of users and the networking subsystem. > > https://docs.freebsd.org/en/books/handbook/jails/ > > I've also read about Joanna's vision of Qubes air here. > > https://www.qubes-os.org/news/2018/01/22/qubes-air/ > > Joanna argues that using Xen to achieve the separation is not really at > the essence of Qubes, and she shows how the cloud or seperate raspberry > Pis could also be used for this purpose in a future version of Qubes.
Indeed it is not. > Along the same train of thought, it should be possible to build on top > of FreeBSD's jails, right? It absolutely should be. > This is something that I would have interest > in doing some work on, perhaps as part of my master thesis. My main > motivation is to have a version of QubesOS with lower overhead on the > virtualization technology. I'm aware that there may be differences in > the protection offered for e.g. attacks on speculative execution between > using Xen or FreeBSD's jails for the isolation. There are two major limitations: 1. FreeBSD is a monolithic kernel, so jails do nothing to sandbox device drivers or the Wi-Fi or USB protocol stacks. One can use PCI pass-through with bhyve or (you guessed it) Xen, though. 2. The not-very-hardened FreeBSD kernel has much more attack surface than the Xen hypervisor. To somewhat mitigate this, I recommend: - Considering HardenedBSD vs FreeBSD. - Using a non-vnet jail inside a vnet jail, with the non-vnet jail not allowed to create other jails. This avoids some of the nasty problems with non-vnet jails without allowing the code in the jail to reconfigure the jail’s own networking stack. - Using strict devfs rulesets that only allow access to a bare minimum of devices. - Denying as many privileges from the jail’s root as is practical. - Using a kernel compiled without e.g. COMPAT_FREEBSD32. - Disabling support for protocols such as SCTP. > So I don't think one > technology would make the other useless, but rather that they would be > two options to choose from depending on the threat model. It could also be useful for testing purposes. FreeBSD has sufficient Xen support to allow one to port the existing tools for Xen-based Qubes to it. Therefore, this would allow one to run jail-based Qubes in Xen-based Qubes, with much lower overhead than nested virtualization (which Xen doesn’t support anyway). Right now, if one wants run the Qubes integration tests, one must use a seperate test machine, which is rather annoying. A jail-based Qubes would allow one to run them from within a qube on the machine one is working on. BTW, FreeBSD can run under Xen as either a dom0 or domU. A good first step might be to implement a FreeBSD template for Xen-based Qubes. That would both be useful in its own right and be a good way to get familiar with the Qubes codebase. > My question is: Is it actually possible to start building this by > implementing the things described under "Under the hood: qubes' > interfaces" in the "Qubes Air" blogpost for FreeBSD jails? Or is there > something missing from the side of QubesOS that first needs some work? > Or do you think this is a stupid idea to begin with? :P It’s not a stupid idea at all! It should definitely be possible, but you might run into various parts of Qubes OS that assume Xen+Linux even though they do not need to. High-quality patches to fix those are welcome. I am also CCing Mariusz Zaborski (aka oshogbo) who is a FreeBSD developer himself and knows way more about FreeBSD than I probably ever will. - -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmQCoIUACgkQsoi1X/+c IsFC6g//fW7mvNqN1dAwWj8stluV2UAy6hmUHc246fbqtugtsACWZVe8ha8fDPmm h5TiMQI23YzbgE0S/Y7jieLCWks+PF9hY+QJdceNSAFxlNeDXjokWsfRvf3PkcQD HOp3wrQsklx4mHjiSMf/HkLypSKdeOAVA9nqECC8xZWvCiBGdkGeBXFpWy/R08WY ChhCK6FmlK7fE93w009p/hxdcwJfFMK6vLIwpywsz/PEo+ifrujzt/LB50kHIhWW 8VWqhNisLi9uJzCEkK5XhO26QlLQlJqokz5+dxFz79mpNLUu8WjFp+uaF1femDAq jKtl+eZZIjOLyJg8m9nn81yYWqUl6sdCa9Qeo5uEm/zwBrRhQ0RF3PnFQ6Rb7Tao K/tZpQloikWxZdIsVBDtXswqD00LTB0MKFP5rRQWXgyfDRnJLpeuIxa5kwhaWAe6 dJGaYokVN+CFKO4eamjv9ccHJ0slWzqqdpM4M7eqamvs7+85EWlmGyv5ImL/mnV5 qmssnkFZF/Pn2Xo1kGY2PsewIltqLWW2ZenyOsPKHorcUt2lNGjL/hsXixRX0z7S KT1VnUXjm/+GTC3l2/l96ZXWMT+6QaTwbynBKtA8OMMILtNd7gy43to4wmSvHtRQ eMfxlkRqL91OO14UibFWsWAUY3EJx6Pqz+/ocBxT6J9DZ4ZNrG8= =6NxH -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/ZAKghZ2rUcQvzZZj%40itl-email.