[Qemu-devel] QEMU - Security Research Questions #2

[Joey Connelly]

Hey QEMU dev group,

I'm a graduate student at Boise State University working on my thesis
involving Virtualization/Cloud Computing Security and I wanted to ask
another IN-DEPTH question I've been trying to solve. If you have some time
it would be greatly appreciated:


*[Question:]*

Can I migrate a VM to a nested VM using only the ports on my host and
knowing (from a super-user host administrator perspective) any/all network
information as required??



*[Senario:]*

I'm a sys admin with root privileges. 1 QEMU process is running, guest_VM0,
with -monitoring and -enable-kvm options (its virtual environment supports
Intel-VTx).



I then create a new guest_VM1 with the same virtual environment & support,
have -enable-kvm option and -hostfwd option enabled from host port 4444 to
guest post 5555.



Within guest_VM1 I create another QEMU process, guest_VM_COPY, with again
same virtual environment & Intel-VTx support, have -enable-kvm and this
time it’s just sitting with -incoming tcp<options,...,listen-port5555>
waiting for migration.



I then execute from guest_VM0 Monitor Console -migrate to port 4444, which
through hostfwd should send to my nested vm paused with -incoming
initialized.



*[So… re-wording my question with this scenario now presented:]*

After migration, with full super-user control, is there ANY virtual
network, (socket, bridge, user, etc) or combination of things I could setup
so that my nested guest_VM_COPY can still access the network through the
same host external network that it originally accessed?? Basically no
interruptions for the original guest_VM0 during or after migration?


Thanks!

-Joey