Disallow persistent attachment of block devices #447
Conversation
It is very fragile.
|
It would be great if we could attach block devices based on UUID. Is that not exposed by Xen? Or are there other issues as well with persistently attaching block devices? |
The problem with UUIDs is that they are dependent solely on the contents of the block device. This is a security problem, because a qube could overwrite a device’s UUID with the UUID of a different device, and cause it to be assigned to a different qube. Partition UUIDs would be somewhat better, since (IIRC) they are stored in the partition table, which (if you are exporting a partition) is not under the control of the frontend. However, they are still controlled by the block device, and so are still spoofable by it. For physical (as opposed to virtual) devices, the safest approach that I am aware of is to designate devices based on their paths in |
|
Many thanks for explaining this.
This might be a reasonable tradeoff between security and the convenience of persistent attachments. If I plug in my device to a different slot then I won't see it auto attach and I'd just unplug and plug it in again to the whitelisted slot. |
But they aren't necessary stable. Plus, that would for example depend on to which USB port you connect a device, which may be undesirable. Maybe |
I believe almost any non-cryptographic solution will either be spoofable or have this problem. The only possible exceptions are partition UUIDs and other such identifiers, which can be spoofed by someone with access to the underlying device, but not by someone with only access to the partition.
I believe that works for virtual devices, but it is probably spoofable for physical devices. |
It is very fragile.
Marking as draft because this is not yet tested.