On Sun Apr 11, 2021 at 4:57 AM PDT, Alyssa Ross wrote:
In Spectrum, we want the host kernel to include as few drivers as possible, to reduce attack service. To accomplish this, we need to move as much hardware interaction as possible into VMs. This series introduces proof-of-concept network hardware isolation by passing through network devices to a VM, and having that VM handle all interaction with that hardware instead of the host system.
[snip]
Alyssa Ross (16): linux: enable Xen everywhere it can be cloud-hypervisor: 0.8.0 -> 0.14.1 mdevd: init at 0.1.3.0 spectrumPackages.linux_vm: fix cloud-hypervisor hotplug spectrumPackages.linux_vm: allow config overrides crosvm: support setting guest MAC from --tap-fd spectrumPackages: export makeRootfs spectrumPackages.rootfs: add s6-rc support spectrumPackages.rootfs: make /var/lib and /var/run spectrumPackages.rootfs: add dbus configuration spectrumPackages.rootfs: add connman dbus services spectrumPackages.sys-vms.comp: init spectrumPackages.makeRootfs: move to default.nix spectrumPackages.sys-vms.net: init spectrumPackages.sys-vms.app: init spectrumPackages.spectrum-testhost: init
.../cargo-lock-vendor-fix.patch | 53 ---- .../cloud-hypervisor/default.nix | 15 +- ...upport-setting-guest-MAC-from-tap-fd.patch | 294 ++++++++++++++++++ .../linux/chromium-os/crosvm/default.nix | 1 + .../linux/kernel/common-config.nix | 13 +- pkgs/os-specific/linux/kernel/patches.nix | 9 + pkgs/os-specific/linux/mdevd/default.nix | 28 ++ pkgs/os-specific/linux/spectrum/default.nix | 6 +- pkgs/os-specific/linux/spectrum/linux/vm.nix | 7 +- .../linux/spectrum/rootfs/default.nix | 92 +++--- .../linux/spectrum/rootfs/etc/group | 1 + .../linux/spectrum/rootfs/etc/passwd | 1 + .../linux/spectrum/rootfs/generic.nix | 48 --- .../linux/spectrum/rootfs/rc-services.nix | 26 ++ .../linux/spectrum/rootfs/stage1.nix | 25 +- .../linux/spectrum/spectrum-vm/default.nix | 6 +- .../linux/spectrum/testhost/default.nix | 205 ++++++++++++ .../linux/spectrum/vm/app/default.nix | 63 ++++ .../linux/spectrum/vm/comp/default.nix | 86 +++++ .../os-specific/linux/spectrum/vm/default.nix | 9 + .../linux/spectrum/vm/net/default.nix | 165 ++++++++++ pkgs/top-level/aliases.nix | 6 + pkgs/top-level/all-packages.nix | 12 +- 23 files changed, 976 insertions(+), 195 deletions(-) delete mode 100644 pkgs/applications/virtualization/cloud-hypervisor/cargo-lock-vendor-fix.patch create mode 100644 pkgs/os-specific/linux/chromium-os/crosvm/0001-crosvm-support-setting-guest-MAC-from-tap-fd.patch create mode 100644 pkgs/os-specific/linux/mdevd/default.nix delete mode 100644 pkgs/os-specific/linux/spectrum/rootfs/generic.nix create mode 100644 pkgs/os-specific/linux/spectrum/rootfs/rc-services.nix create mode 100644 pkgs/os-specific/linux/spectrum/testhost/default.nix create mode 100644 pkgs/os-specific/linux/spectrum/vm/app/default.nix create mode 100644 pkgs/os-specific/linux/spectrum/vm/comp/default.nix create mode 100644 pkgs/os-specific/linux/spectrum/vm/default.nix create mode 100644 pkgs/os-specific/linux/spectrum/vm/net/default.nix
-- 2.30.0
Thanks for the beautiful cover letter. Such a great amount of detail
and information brings a tear to my eye!
Each individual patch reviewed-by me, nothing stood out as weird or
wrong or bad or whatever. I only tested the final result, not each
individual patch.
Reviewed-by: Cole Helbling