From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-4.5 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW,RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=3.4.5 Received: by atuin.qyliss.net (Postfix, from userid 496) id 0EDFAC2DC; Wed, 14 Apr 2021 23:57:09 +0000 (UTC) Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id 457EBC23C; Wed, 14 Apr 2021 23:56:58 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 496) id 7739EC2BF; Wed, 14 Apr 2021 23:56:56 +0000 (UTC) Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) by atuin.qyliss.net (Postfix) with ESMTPS id CBF22C2BE for ; Wed, 14 Apr 2021 23:56:53 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 02BF112C8; Wed, 14 Apr 2021 19:56:51 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 14 Apr 2021 19:56:52 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=ziEOp47TXt9gpjSCHvFMkRKh05W HxhpgX1xG9sQzrng=; b=Eae8CBgA6owNSaWiY6IFerP5akN5vbQa3xQwa5ObPRA dn7PJHfNU3ISaP7tbhOohTE4xM++dProUiYeKsKocZ+ah3AbGW9Be5d+H9MfzLbT AoAid293kcV40YnJdllHyduZ3QCAXjwoH0hz5Uif6EnH4dPXad5Eo8K1nCYitMj5 hJkuvxEaLPkqYFmk2WfDnZyhVegUlDH/M3gMD3Y+/1JuyqYDPwzj3surotu1emYa eDqyoUY3OpP1fRYuc06Sht3KikSH/JSf6ITyq4k3DnTB9qoZn4gW+WLi9PuXpyqI z/E3aGBxr9hjURuB+hd7vRQ4wtFVf2aOq4BgpvBz/0g== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=ziEOp4 7TXt9gpjSCHvFMkRKh05WHxhpgX1xG9sQzrng=; b=Z+fo3MaAufydr96bwYG5SI Ti5xDKEql2COrUQSAejaSy0M/ClnhvSQMwaQVlfh0minCKFJrB1Du5xHAjyQYCrq n3DRDL7vILElVe+Vmzb3mKE6QDt2ps1fBAUca0SnDyNFPdmBc8BiAfi21jOxvRks KcjkRqtE+l24zxooyLuVHrG2m3bIjwUqkLc9zSs/eGG6Matq/3LJJBmW5FFont/t HdtS+dI39DugWGaNGbphDWrlBssuvTNRADG3y/i6LMOpOOU6EUsm3a2gz43IyMaG RJsqdrC+DEl5UuQ0gPQB94ZmtlOvyLssfMqdxlfKAC4msxAjMcCegY9mj2ORMUKg == X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrudelvddgvdeiucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepfffhvffukfhfgggtuggjsehgtddtredttddvnecuhfhrohhmpeetlhihshhs rgcutfhoshhsuceohhhisegrlhihshhsrgdrihhsqeenucggtffrrghtthgvrhhnpedugf etkedufefhteeikeefudffgeeliedujeeutedttefggfehffehveevleetveenucffohhm rghinhepshihshdqvhhmshdrnhgvthdpshihshdqvhhmshdrrghpphenucfkphepkeegrd dukeegrddvvdeirdekudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgr ihhlfhhrohhmpehqhihlihhsshesgidvvddtrdhqhihlihhsshdrnhgvth X-ME-Proxy: Received: from x220.qyliss.net (p54b8e251.dip0.t-ipconnect.de [84.184.226.81]) by mail.messagingengine.com (Postfix) with ESMTPA id 38F98240057; Wed, 14 Apr 2021 19:56:51 -0400 (EDT) Received: by x220.qyliss.net (Postfix, from userid 1000) id 2F8DB1F6; Wed, 14 Apr 2021 23:56:50 +0000 (UTC) Date: Wed, 14 Apr 2021 23:56:49 +0000 From: Alyssa Ross To: Cole Helbling Subject: Re: [PATCH nixpkgs 00/16] Inter-guest networking Message-ID: <20210414235649.p675xohecm6lyyux@x220.qyliss.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="viqd54pa6hk2rokj" Content-Disposition: inline In-Reply-To: Message-ID-Hash: THQLW7OALPFEMOJMIJ4MYFJQBCXDQBYV X-Message-ID-Hash: THQLW7OALPFEMOJMIJ4MYFJQBCXDQBYV X-MailFrom: qyliss@x220.qyliss.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: devel@spectrum-os.org X-Mailman-Version: 3.3.4 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --viqd54pa6hk2rokj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline "Cole Helbling" writes: > On Sun Apr 11, 2021 at 4:57 AM PDT, Alyssa Ross wrote: >> In Spectrum, we want the host kernel to include as few drivers as >> possible, to reduce attack service. To accomplish this, we need to >> move as much hardware interaction as possible into VMs. This series >> introduces proof-of-concept network hardware isolation by passing >> through network devices to a VM, and having that VM handle all >> interaction with that hardware instead of the host system. > > [snip] > >> Alyssa Ross (16): >> linux: enable Xen everywhere it can be >> cloud-hypervisor: 0.8.0 -> 0.14.1 >> mdevd: init at 0.1.3.0 >> spectrumPackages.linux_vm: fix cloud-hypervisor hotplug >> spectrumPackages.linux_vm: allow config overrides >> crosvm: support setting guest MAC from --tap-fd >> spectrumPackages: export makeRootfs >> spectrumPackages.rootfs: add s6-rc support >> spectrumPackages.rootfs: make /var/lib and /var/run >> spectrumPackages.rootfs: add dbus configuration >> spectrumPackages.rootfs: add connman dbus services >> spectrumPackages.sys-vms.comp: init >> spectrumPackages.makeRootfs: move to default.nix >> spectrumPackages.sys-vms.net: init >> spectrumPackages.sys-vms.app: init >> spectrumPackages.spectrum-testhost: init >> >> .../cargo-lock-vendor-fix.patch | 53 ---- >> .../cloud-hypervisor/default.nix | 15 +- >> ...upport-setting-guest-MAC-from-tap-fd.patch | 294 ++++++++++++++++++ >> .../linux/chromium-os/crosvm/default.nix | 1 + >> .../linux/kernel/common-config.nix | 13 +- >> pkgs/os-specific/linux/kernel/patches.nix | 9 + >> pkgs/os-specific/linux/mdevd/default.nix | 28 ++ >> pkgs/os-specific/linux/spectrum/default.nix | 6 +- >> pkgs/os-specific/linux/spectrum/linux/vm.nix | 7 +- >> .../linux/spectrum/rootfs/default.nix | 92 +++--- >> .../linux/spectrum/rootfs/etc/group | 1 + >> .../linux/spectrum/rootfs/etc/passwd | 1 + >> .../linux/spectrum/rootfs/generic.nix | 48 --- >> .../linux/spectrum/rootfs/rc-services.nix | 26 ++ >> .../linux/spectrum/rootfs/stage1.nix | 25 +- >> .../linux/spectrum/spectrum-vm/default.nix | 6 +- >> .../linux/spectrum/testhost/default.nix | 205 ++++++++++++ >> .../linux/spectrum/vm/app/default.nix | 63 ++++ >> .../linux/spectrum/vm/comp/default.nix | 86 +++++ >> .../os-specific/linux/spectrum/vm/default.nix | 9 + >> .../linux/spectrum/vm/net/default.nix | 165 ++++++++++ >> pkgs/top-level/aliases.nix | 6 + >> pkgs/top-level/all-packages.nix | 12 +- >> 23 files changed, 976 insertions(+), 195 deletions(-) >> delete mode 100644 pkgs/applications/virtualization/cloud-hypervisor/cargo-lock-vendor-fix.patch >> create mode 100644 pkgs/os-specific/linux/chromium-os/crosvm/0001-crosvm-support-setting-guest-MAC-from-tap-fd.patch >> create mode 100644 pkgs/os-specific/linux/mdevd/default.nix >> delete mode 100644 pkgs/os-specific/linux/spectrum/rootfs/generic.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/rootfs/rc-services.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/testhost/default.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/vm/app/default.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/vm/comp/default.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/vm/default.nix >> create mode 100644 pkgs/os-specific/linux/spectrum/vm/net/default.nix >> >> -- >> 2.30.0 > > Thanks for the beautiful cover letter. Such a great amount of detail > and information brings a tear to my eye! <3 > Each individual patch reviewed-by me, nothing stood out as weird or > wrong or bad or whatever. I only tested the final result, not each > individual patch. > > Reviewed-by: Cole Helbling > Tested-by: Cole Helbling Thanks! Committed as 583eb604ce3. --viqd54pa6hk2rokj Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEH9wgcxqlHM/ARR3h+dvtSFmyccAFAmB3gUAACgkQ+dvtSFmy ccDkog//dF5Alw2FJbMDZ+cuijv0Sx9cCKrvjsP2kGVnGAF6VCjOD1qErckcI3za OuD1L9OwSEr+NvY379wPsJWeCTd9/n3xLB5a/r/i3eNleDfBcanIT8Owd941YAS7 f/OdBR5bkIL5Um4jhHd9XNJ2ptRDAlq4ypSil4f9/8r/dIT8cXvS2FJs1cylGtFf 66t7TzZlZlo1LvrCiixd8X90/Cj3Tu+ORhCyesB6c3AL74BoVjLg1awD4301RNjx 5LjDY+NxjGHNuJL/3JMAFhDBXgBhdSs0h5QbjH0cdNlIFYoUipWw/+V7rggr4deS OfSFi+7FBhg/x6pvvghno3Ituf7RQCev9cgTLh72ez09Va2HXiISjzaLT+aNZKE7 m4oHO7e2oYiEROR6Oc95qYDqNeJECR+/u/rts4owQ21loPuVjBb/aPZFX8tgqTfp b8uZFAYwjVxYTkBRy7n3/anxz+BtYeQZ92YHZpUqE7fsf+sHdxmm2XbPNnuEjajS maDCi/Clm8ZbyKSrGj4q5PDgb54zo8DFkobORnYA1hY2DshzZyke6717eONg/hTT xf0tBhhOjlSEBHjrM771YqVSEqz66NU55IuX6i2P9QWwitcrpWGTR3wyJM628rpC bYErLRa1tdOIjPfZfUf5f4zNAPkWj7g+CuPxe3Rq4GVmZ/4rYuE= =Uct4 -----END PGP SIGNATURE----- --viqd54pa6hk2rokj--