We're hiring!
*

Quick hack: Experiments with crosvm

Tomeu Vizoso avatar

Tomeu Vizoso
November 09, 2017

Share this post:

Last week I played a bit with crosvm, a KVM monitor used within Chromium OS for application isolation. My goal is to learn more about the current limits of virtualization for isolating applications in mainline. Two of crosvm's defining characteristics is that it's written in Rust for increased security, and that uses namespaces extensively to reduce the attack surface of the monitor itself.

It was quite easy to get it running outside Chromium OS (have been testing with Fedora 26), with the only complication being that minijail isn't widely packaged in distros. In the instructions below we hack around the issue with linker environment variables so we don't have to install it properly. Instructions are in form of shell commands for illustrative purposes only.

Build kernel:

    $ cd ~/src
    $ git clone git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
    $ cd linux
    $ git checkout v4.12
    $ make x86_64_defconfig
    $ make bzImage
    $ cd .. 

Build minijail:

    $ git clone https://android.googlesource.com/platform/external/minijail
    $ cd minijail
    $ make
    $ cd .. 

Build crosvm:

    $ git clone https://chromium.googlesource.com/a/chromiumos/platform/crosvm
    $ cd crosvm
    $ LIBRARY_PATH=~/src/minijail cargo build 

Generate rootfs:

    $ cd ~/src/crosvm
    $ dd if=/dev/zero of=rootfs.ext4 bs=1K count=1M
    $ mkfs.ext4 rootfs.ext4
    $ mkdir rootfs/
    $ sudo mount rootfs.ext4 rootfs/
    $ debootstrap testing rootfs/
    $ sudo umount rootfs/

Run crosvm:

    $ LD_LIBRARY_PATH=~/src/minijail ./target/debug/crosvm run -r rootfs.ext4 --seccomp-policy-dir=./seccomp/x86_64/ ~/src/linux/arch/x86/boot/compressed/vmlinux.bin

The work ahead includes figuring out the best way for Wayland clients in the guest interact with the compositor in the host, and also for guests to make efficient use of the GPU.

 

Original post

Comments (0)


Add a Comment






Allowed tags: <b><i><br>Add a new comment:


Latest Blog Posts

Permissively-licensed MTP device implementation

16/05/2019

Introducing cmtp-responder - a permissively licensed Media Transfer Protocol (MTP) responder implementation which allows embedded devices…

An eBPF overview, part 5: Tracing user processes

14/05/2019

Up until now, talking in-depth about userspace tracing was deliberately avoided because it merits special treatment, hence this part devoted…

CEF on Wayland upstreamed

08/05/2019

After a successful team effort, the patch enabling the Chromium Embedded Framework (CEF) Ozone builds to run with different platform backends,…

An eBPF overview, part 4: Working with embedded systems

06/05/2019

Now that we've studied the mainstream way of developing and using eBPF programs on top of the low-level VM mechanisms, we'll look at projects…

Running Android and Wayland on embedded devices

02/05/2019

A previous post introduced the SPURV Android compatibility layer for Wayland based Linux environment. In this post, we're going to dig into…

An eBPF overview, part 3: Walking up the software stack

26/04/2019

In part 1 and 2 of this series, we took a condensed in-depth look at the eBPF VM. In part 3, we define the high-level components of an eBPF…

Open Since 2005 logo

We use cookies on this website to ensure that you get the best experience. By continuing to use this website you are consenting to the use of these cookies. To find out more please follow this link.

Collabora Ltd © 2005-2019. All rights reserved. Website sitemap.