Sending logical volumes (partitions) to VMs

Consider this scenario, I have a 2TB hard drive which I create two logical volumes on, split 50/50.

I can now send these volumes to separate VMs and access them, how safe is this?

My understanding is that Qubes OS is already doing this, is it equally safe if I do it myself? What can a VM access if it’s sent a partition/logical volume? Can it read directly from the entire device to get data across VMs?

1 Like

One thing to watch out for is that if you let a VM write to a dom0 block device (in this case, the additional logical volume), the VM-controlled, potentially malicious data now stored on that block device must not be parsed in dom0. By default, udev would scan any block devices’s data for filesystems etc., so for the normal logical volumes managed by the lvm_thin Qubes OS storage driver (whose names all begin with vm-) there are some udev rules in /usr/lib/udev/rules.d/ that prevent them from being scanned:

To replicate this, you’ll probably want to give your additional logical volumes names that start with vm- too. Assuming that they’re on a separate LVM pool anyway (one that’s not used by the lvm_thin Qubes OS storage driver) I think that prefix should not conflict with anything.

No.

4 Likes

Hey, thanks. This is exactly the type of information I was looking for. For clarity’s sake, do I only have to prepend vm- to the name argument when creating a volume using lvcreate for this to apply?

2 Likes

Yes that should do it (but I haven’t tested this)

This feels very important due to the Dom0 risk. @Demi , as the author of that file, would you like to add your thoughts?

If you start the names with vm-, it ought to be just as safe as what Qubes OS does internally. Be sure to never mount the volumes in dom0 or run fsck on them. Creating a snapshot should be fine, so long as the new volume has a name that also begins with vm-.

I say “ought to” and “should” because I haven’t actually tested this.