From d4dfff52e85a57cac61809d6c14aa18a053e2381 Mon Sep 17 00:00:00 2001 From: stubbybubby Date: Mon, 17 Apr 2017 09:26:10 -0700 Subject: [PATCH 1/2] Rewrite 'Why does dom0 need to be 64-bit" In order to prevent what happened last time, I'm going to edit this document piecemeal so you can choose which PRs to accept and which to reject. * Partitioned run on sentences * Cleaned up wording. * Newline at end of sentences. --- basics_dev/devel-faq.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/basics_dev/devel-faq.md b/basics_dev/devel-faq.md index a3d72727..f5d347ab 100644 --- a/basics_dev/devel-faq.md +++ b/basics_dev/devel-faq.md @@ -16,7 +16,12 @@ Why does dom0 need to be 64-bit? Since 2013 [Xen has not supported 32-bit x86 architecture](http://wiki.xenproject.org/wiki/Xen_Project_Release_Features) and Intel VT-d, which Qubes uses to isolate devices and drivers, is available on Intel 64-bit processors only. -In addition, often it is more difficult to exploit a bug on the x64 Linux than it is on x86 Linux (e.g. ASLR is sometimes harder to get around). While we designed Qubes with the emphasis on limiting any potential attack vectors in the first place, still we realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, even though it is very simple code, might contain some bugs. Plus currently we haven't implemented a separate storage domain, so also the disk backends are in Dom0 and are "reachable" from the VMs, which adds up to the potential attack surface. So, having faced a choice between 32-bit and 64-bit OS for Dom0, it was almost a no-brainer, as the 64-bit option provides some (little perhaps, but still) more protection against some classes of attacks, and at the same time does not have any disadvantages (except that it requires a 64-bit processor, but all systems on which it makes sense to run Qubes, e.g. that have at least 3-4GB memory, they do have 64-bit CPUs anyway). +In addition, it is often more difficult to bypass ASLR and exploit a bug on x64 Linux than x86 Linux. +While we designed Qubes from the beginning to limit potential attack vectors, we still realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, even though it is very simple, might contain some bugs. +Plus since we haven't implemented a separate storage domain, the disk backends are in Dom0 and are "reachable" from the VMs, which adds up to the potential attack surface. +So, having faced a choice between 32-bit and 64-bit OS for Dom0, it was almost a no-brainer. +The 64-bit option provides some (little perhaps, but some) more protection against some classes of attacks, and at the same time does not have any disadvantages except the extra requirement of a 64 bit processor. +And even though Qubes now "needs" a 64 bit processor, it didn't make sense to run Qubes on a system without 3-4GB of memory, and those have 64-bit CPUs anyway. What is the recommended build environment? ------------------------------------------ From 049905736c5f326ff5dfbddb1b1081b1d9cecb4a Mon Sep 17 00:00:00 2001 From: Dean V Date: Tue, 2 May 2017 12:48:14 -0700 Subject: [PATCH 2/2] Fixed inaccuracy --- basics_dev/devel-faq.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/basics_dev/devel-faq.md b/basics_dev/devel-faq.md index f5d347ab..6a21b99d 100644 --- a/basics_dev/devel-faq.md +++ b/basics_dev/devel-faq.md @@ -16,8 +16,8 @@ Why does dom0 need to be 64-bit? Since 2013 [Xen has not supported 32-bit x86 architecture](http://wiki.xenproject.org/wiki/Xen_Project_Release_Features) and Intel VT-d, which Qubes uses to isolate devices and drivers, is available on Intel 64-bit processors only. -In addition, it is often more difficult to bypass ASLR and exploit a bug on x64 Linux than x86 Linux. -While we designed Qubes from the beginning to limit potential attack vectors, we still realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, even though it is very simple, might contain some bugs. +In addition, with features like improved ASLR, it is often more difficult to exploit a bug on x64 Linux than x86 Linux. +While we designed Qubes from the beginning to limit potential attack vectors, we still realize that some of the code running in Dom0, e.g. our GUI daemon or xen-store daemon, however simple, might contain some bugs. Plus since we haven't implemented a separate storage domain, the disk backends are in Dom0 and are "reachable" from the VMs, which adds up to the potential attack surface. So, having faced a choice between 32-bit and 64-bit OS for Dom0, it was almost a no-brainer. The 64-bit option provides some (little perhaps, but some) more protection against some classes of attacks, and at the same time does not have any disadvantages except the extra requirement of a 64 bit processor.