openbsd vmm vmd update
play

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 - PowerPoint PPT Presentation

Nov 28, 2023 •504 likes •852 views

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 Tokyo, Japan Agenda Where we were a year ago Current status Future plans Q&A One Year Ago ... Limited guest VM choices Decent support for OpenBSD

  1. OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 – Tokyo, Japan

  2. Agenda ● Where we were a year ago ● Current status ● Future plans ● Q&A

  3. One Year Ago ... ● Limited guest VM choices – Decent support for OpenBSD i386/amd64 – Not much else ... ● amd64 and i386 host support ● Early/basic SVM support ● Functional vmctl(8)/vmd(8) – A bit unstable at times ...

  4. This Past Year ... ● Improving core features ● Adding new guest OS support ● Bug fixing / paying down technical debt

  5. 2017 vmm(4) Improvements ● Main goal was to broaden guest OS support ... ● Added code to support SeaBIOS/UEFI – Needed for Linux (and other) guest support – Missing PIC/PIT features – Missing PCI config space features – Missing MC146818 RTC features

  6. 2017 vmm(4) Improvements (cont’d) ● SeaBIOS delivered via fw_update(1) – vmm_firmware package – Includes sgabios VGA-to-serial redirector – Supports VMX and SVM ● VMX users need Westmere or later CPU :(

  7. 2017 vmm(4) Improvements (cont’d) ● Improved platform support – Substantially better SVM code – AVX/AVX2/AVX512 guest support – TSC support in guest ● Helps avoid too-fast or too-slow time in VM ● … plus many other small changes

  8. 2017 vmm(4) Improvements (cont’d) Goal : Support More Guest OSes

  9. 2017 vmm(4) Improvements (cont’d) ● Linux guest support – 32/64 bit – No known nonfunctional distributions – Latest to be added was CentOS/RHEL ● Required CD-ROM support – Guest still sees virtio devices – Graphics can be redirected locally via VNC

  10. 2017 vmm(4) Improvements (cont’d) ● Other less common guest OSes now work as well: – DOS – Plan9 – Android ● Just really Linux, though ... – Solo5/ukvm (Courtesy Adam Steen) – Solaris/Illumos/OI ● Not 100% - graphics related?

  11. 2017 vmm(4) Improvements (cont’d) ● What about FreeBSD/NetBSD guests? – pd@ has these locally working ● Requires instruction emulation – bus_space_write_multi(..) used in console I/O – turns into a “ rep outsb from memory” instruction ● We have not needed an instruction emulator until now ...

  12. 2017 vmd(8) Improvements ● vmd(8) saw improvements as well ...

  13. 2017 vmd(8) Improvements ● vmd(8) saw improvements as well … ● VirtIO SCSI host-side support for .iso images (CD/DVD images) – Implemented by ccardenas@

  14. 2017 vmd(8) Improvements (cont’d) ● vmd(8) “local networks” – Implemented by reyk@ – Makes configuring NAT networking for VMs much easier: /etc/pf.conf: pass out on $ext_if from 100.64.0.0/10 to any nat-to $ext_if /etc/sysctl.conf: net.inet.ip.forwarding=1 vmctl start -L myvm

  15. 2017 vmd(8) Improvements (cont’d) ● vmd(8) “local networks” – vmd has a built-in DHCP/BOOTP server – Assigns IP addresses from 100.64.0.0/10 range ● “Carrier Grade NAT” reserved IP range ● Can be overridden if desired – Assigns corresponding gateway on host side ● Sends DHCP option to guest to configure gateway

  16. 2017 vmd(8) Improvements ● VM pause/resume & send/receive (snapshots) – vmctl pause ubuntu – vmctl unpause ubuntu – vmctl send ubuntu > ubuntu.vm – vmctl receive ubuntu < ubuntu.vm ● Features implemented initially by team of 4 SJSU MSSE students – Committed and maintained by pd@

  17. 2017 vmd(8) Improvements ● Send / Receive can also be performed over SSH (paused migration): vmctl send openbsd | ssh mlarkin@host vmctl receive ● The VM send files can be stored (eg, snapshots), if desired: vmctl send openbsd > /home/mlarkin/vm_backups/openbsd.vm

  18. How Send/Receive Work ● Send/Receive wait until the VM is HLTed – Eg, while the OS is in it’s idle loop ● Pause the VM ● Serialize device and CPU state to output stream – CPUID feature flags – Internal legacy device state (PIC state, PIT counter state, etc)

  19. How Send/Receive Work (cont’d) ● Transfer memory pages to output stream ● Destroy the VM ● On Resume … – Read CPUID flags, compare with local host capabilities ● Abort if incompatible – Restore memory pages and device state – Resume VM

  20. How Send/Receive Work (cont’d) ● Ideally, can use switch(4)/switchd(8) to manage connection state across send/receive

  21. vmctl send/receive Demo

  22. 2018 Goals ● Isn’t every year the year of “reduce the bug count”? ● Solicit community involvement – Glad to have lots of new faces at the vmm table ● Continue pd@’s effort – Instruction emulation and memory walker – Needed for SMP, proper shadow paging, support for older CPUs, more guest OS support, etc…

  23. 2018 Goals (cont’d) ● Add support for more modern emulated hardware – … 1997 called, they want their PC back ● Did I mention “fix bugs”?

  24. New Ideas For vmm(4) ● At the t2k17 Toronto Hackathon, a bunch of us were sitting around having beer … … oh no, not this again :)

  25. New Ideas For vmm(4) (cont’d) ● At the t2k17 Toronto Hackathon, a bunch of us were sitting around having beer … ● … talking about how we might be able to use vmm(4) to help secure memory – Part of a broader conversation about reducing attack surfaces

  26. New Ideas For vmm(4) (cont’d) ● Nested Paging (used by vmm currently) can offer execute-only memory on some CPUs – Can’t read it, can only execute it ● Could we use this to protect code pages from scanning? – ROP gadget scans and generally keeping prying eyes away

  27. New Ideas For vmm(4) (cont’d) ● Idea: – Start vmm(4) early – Convert existing host into VM – Protect code pages as XO ● Note – This idea is not new – Concepts first (?) introduced as bluepill in 2006 – Others have done similar things

  28. New Ideas For vmm(4) (cont’d) ● Challenges: – Legitimate reads ● ddb(4) ● Compiler-generated data islands – Compatibility with vmd(8) ● ddb(4) is easily handled – Hypercall (VMCALL instruction) to exit host-VM – Need to make sure that doesn’t become a new gadget

  29. New Ideas For vmm(4) (cont’d) ● Switch/jump tables (data islands) were a problem with gcc – … then fixed – … then became a non-issue with clang/llvm anyway ● Compatibility with vmd(8) requires at least some nesting – Shadow VMCS (or emulation) – Exits for VMX instructions – Some sort of minimalist VM scheduler in the kernel

  30. New Ideas For vmm(4) (cont’d) ● Early proof-of-concept: – ~1600 line diff – .ktext protected – No nesting ● Similarly protecting userland code requires more work – UVM requires copy-on-read support – “Do kernel first, userland later”

  31. XO Kernel (“Underjack”) Demo

  32. Questions? ● Any questions?

  33. Thank You Mike Larkin mlarkin@openbsd.org @mlarkin2012

Recommend

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt;

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt;

Porting OpenBSD Niall OHiggins &lt;niallo@openbsd.org&gt; Uwe Sthler &lt;uwe@openbsd.org&gt; OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 Tokyo, Japan Agenda Where

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 Tokyo, Japan Agenda Where

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 Tokyo, Japan Agenda Where we were a year ago Current status Future plans Q&amp;A One Year Ago ... Reasonably complete support for OpenBSD and Linux guests

729 views • 47 slides
Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer &lt; mbalmer@openbsd.org &gt; micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist &lt;anton@openbsd.org&gt; Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe akoshibe@openbsd.org AsiaBSDCon 2018 SDN? Network split into programmable nodes that handle traffic and entities that program them

372 views • 26 slides
LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot &lt;ajacoutot@openbsd.org&gt; whoami(1)

LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot &lt;ajacoutot@openbsd.org&gt; whoami(1)

OpenBSD rc.d(8) LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot &lt;ajacoutot@openbsd.org&gt; whoami(1) OpenBSD developer since 2006 ajacoutot@ aka aja@ sysmerge, rc.d, rcctl, libtool, stuff, other stuff &gt;400 ports,

1.19k views • 64 slides
OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler &lt;pb@sysfive.com&gt; @pb_double sysfive.com portfolio

510 views • 20 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis &lt;giovanni@openbsd.org&gt;

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis &lt;giovanni@openbsd.org&gt;

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis &lt;giovanni@openbsd.org&gt; Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview Return Oriented Programming Removing ROP Gadgets Unaligned / Polymorphic Gadget Reduction Aligned Gadget Reduction Results Return

1.99k views • 99 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019 What did exist before? How does it work? What are the

491 views • 48 slides
OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

I n t ro d u c i n g OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org) ESDENERA NETWORKS GmbH Why do we need a web server in base? Serve the OpenBSD page. Why do we need a web server

264 views • 22 slides
Game of Trees Stefan Sperling &lt; stsp@openbsd.org &gt; EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling &lt; stsp@openbsd.org &gt; EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling &lt; stsp@openbsd.org &gt; EuroBSDcon 2019 What is Game of Trees? Game of Trees is a work-in-progress version control system which attempts to be appealing to OpenBSD developers. designed and written from scratch

1.08k views • 72 slides
Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk

Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk

Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk Flter (reyk@openbsd.org) Agenda History &amp; Background Recent work SSL Interception Socket

533 views • 19 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org BSDCan, May 2019 What did exist before? How does it work? What are the findings?

475 views • 43 slides
OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June

OpenBSD Remote Exploit Only two remote holes in the default install Alfredo A. Ortega June 30, 2007 Mbuf buffer overflow Buffer overflow Researching the OpenBSD 008: RELIABILITY FIX a new vulnerability was found: The m dup1()

587 views • 23 slides
My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org

Antoine Jacoutot Baptiste Daroussin My BSD Sucks Less Than Yours EuroBSDcon 2017 Paris ajacoutot@OpenBSD.org bapt@FreeBSD.org ROUND 1 Ports &amp; packages Release model &amp; engineering Binary upgrades SMP &amp; scheduling The

630 views • 24 slides
syspatch(8) The Boring Healing Potion Antoine Jacoutot ajacoutot@openbsd.org FOSDEM 2018

syspatch(8) The Boring Healing Potion Antoine Jacoutot ajacoutot@openbsd.org FOSDEM 2018

syspatch(8) The Boring Healing Potion Antoine Jacoutot ajacoutot@openbsd.org FOSDEM 2018 @ajacoutot whoami(1) Antoine Jacoutot For fun OpenBSD developer since 2006 ajacoutot@ aka aja@ syspatch, sysmerge, rcctl, rc.d,

546 views • 22 slides
vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution

vmd Reyk Flter reyk@openbsd.org About vmd vmd is a daemon responsible for the execution of virtual machines (VMs) on a host. vmd(8) interfaces with vmm(4) in the kernel It handles the VM setup, vCPUs, exists, and device layer

372 views • 8 slides
A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why

A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why

A systematic evaluation of OpenBSD's mitigations 36c3 stein Agenda Why Mitigations Attack surface reduction Hardware vulnerabilities Memory corruption Misc Missing ones Conclusion 2 Earlier

675 views • 48 slides
The future of X.Org on non-GNU/Linux systems Matthieu Herrb OpenBSD/X.Org February 2, 2013

The future of X.Org on non-GNU/Linux systems Matthieu Herrb OpenBSD/X.Org February 2, 2013

The future of X.Org on non-GNU/Linux systems Matthieu Herrb OpenBSD/X.Org February 2, 2013 Introduction X has always been multi-platform XFree86 was started on SVr4 and FreeBSD, ported on Linux later. GNU/Linux/Freedesktop is now dominating

319 views • 18 slides
Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37,

Dropping in 80Gbits (sort of) of Stateful Firewalling with OpenBSD (PF, OpenOSPF) UKNOF 37, Manchester Caveats I am not pushing 80Gbits yet (sorry if you were expecting Netflix levels of awesome) See: Sort of Who am I? Gareth Llewellyn

424 views • 38 slides

More recommend