Xen 3.3 Feature: PV-GRUB

From Samuel Thibault:

The traditional way to configure a PV guest is to write in the configuration file the path to the kernel/initrd to be loaded.  However, logically enough, these should be on the PV guest disk image, to allow them to be managed by the distribution installed inside the PV guest.  PyGRUB used to act as a “PV bootloader”: it runs in dom0 as root, opens the PV disk image, reads its GRUB menu.lst, presents a GRUB-like menu to let the user choose a kernel which it copies to the dom0 filesystem, it then closes the disk image and eventually tells the domain builder to use that copy.  Such a dom0 root process that parses user-provided data is a potential security breach.

PV-GRUB, on the other hand, is the real GRUB source code recompiled against Mini-OS, and works much more like a usual bootloader: it runs inside the very PV domain that will host the PV guest.  In the PV domain configuration file, one just gives the path to the PV-GRUB kernel.  PV-GRUB will boot inside the PV domain, detect the PV disks and network interfaces of the domain, and just use that to access the PV guests’ menu.lst, use the regular PV console to show the GRUB menu, and again use the PV interface to load the kernel image from the guest disk image.  Some black magic is then used to boot the PV guest kernel from inside the PV domain (see summit slides for the details).  The limitation, however, is that it can not perform a 32/64bit switch: to boot a 32bit (resp. 64bit) PV kernel, a 32bit (resp.  64bit) PV-GRUB is needed.  The bonus features with PV-GRUB is that network boot is also possible, both for providing the menu.lst and kernel/initrd, and works exactly like the regular GRUB.

As a result, PV-GRUB is far more secure than PyGRUB, as is just only uses the very resources that the PV guest will use.

See Summit slides: