evammg at gmail
Apr 30, 2012, 2:06 AM
Post #12 of 12
On 28 April 2012 05:42, Luke S. Crawford <lsc [at] prgmr> wrote:
> On Thu, Apr 26, 2012 at 12:26:13PM +0100, Simon Hobson wrote:
> > eva wrote:
> > >Thanks for answering. I read that part, but afterwards I read the link
> > >that Luke posted that says:
> > >
> > >"The problem with PyGRUB is that while it's a good simulation of a
> > >bootloader, it has to mount the domU partition"
> > >
> > >
> > >
> > >
> > >..hence my confusion.
> > Hmm, yes. One or other of the Wiki entries is wrong then.
> Technically, mine is wrong; it uses libfsimage to pull the kernel out
> of the block device, it doesn't mount it. But that has many of the
> dangers of mounting directly. (As someone else pointed out, I think,
> libfsimage can be run as something other than root, as long as it has read
> access to the block device, and that helps some, though by default I think
> it does run as root. But Pvgrub runs entirely within the guest, so there
> is no way a problem in pvgrub can lead to a dom0 compromise.)
> Note, pvgrub also protects you from, say, exploits in the code used to
> decompress the kernel; with pvgrub, the kernel is uncompressed within
> the DomU.
> > In that link I see the answer to your other query. In there, in
> > extolling the virtues of pvgrub, the author is hinting (but
> > explicitly stating) that he is providing a read-only volume which the
> > end user (DomU owner) cannot modify. In that read-only partition, he
> > has a basic (rescue) system which the DomU always boots "through" -
> > thus the end user can never ever completely trash his DomU to the
> > point that it won't boot anything.
> > My guess is that he has GRUB installed in the rescue partition, with
> > two entries - rescue and user. Rescue boots into the rescue system,
> > user (the default) chain loads a GRUB config from the user's normal
> > partition. In normal operation, the DomU will load the read-only
> > GRUB, chainload the user's GRUB, and then boot the user's OS. If the
> > user screws it up, he can interrupt the initial GRUB, boot into the
> > rescue system, and from there fix his own system.
Thank you guys to help me to clarify this point.