Of of the main potential security issue with Xen is dom0. As he controls all devices, and network cards among the others, he can be hacked with hardware attack against poorly firmwares. So, when dom0 is supposed to be pretty much protected against unauthorized and/or malicious access, in fact it is not.
The idea here is to use PCI passthrough to transfert network card control to a domU so that dom0 will be isolated from the Internet.
So, let's try to isolate as well our Debian dom0 behind a dedicated domU. Basically, any distribution more or less security oriented can be used here. In my case, I've choosen OpenWRT because it's small, I know it and I like technicals challenges.
Compilation environment setup
We're going to compile OpenWRT from source. For that, we need to setup a build environment. Current OpenWRT stable release, called Backfire, provides kernel 2.6.32. This kernel miss of important thing for us: Xen PCI Frontend driver. If you really want / need to use this kernel, you'll have to backport patches. Here, we'll use the newly released kernel 2.6.37 because needed driver is now merged into mainstream.
The 2 last modifications allow you to specify the kernel version you want to use and fix a little bug introduced with one kernel module filname change (line FILES). If you forgot the last one, build will fail. You've been warned.
OpenWRT configuration & compilation
Once build is done, you can deploy kernel and disk image on your dom0:
Now, you can configure the Xen part.
OpenWRT domU configuration
We'll use Paravirt domU. That's why kernel bzimage is not included into disk image. But all the module you'll use are because they must be reachable from whithin the domU.
Let's first test domU without any PCI passthrough. If it works, you'll just have to comment line extra = "console=hvc0 xencons=tty" and uncomment the 2 next in order to activate PCI passthrough.
If you can see something like this, more or less, you're done. You OpenWRT domU is properly working. Let's activate PCI passthrough.
Xen PCI passthrough
I'll give here only a quick summary, time for me to write a real documentation about that topic. You'll have to:
Identify which devices you want to export to domU
Configure dom0 so that I won't take control over the devices and use instead Xen PCI backend driver (Reboot mandatory !)
Adapt domU xen configuration file.
Start domU and check
This will change a bit the Xen network architecture:
Default Xen network Architecture
Xen network architecture with PCI passthrough
Of course, because I work with Debian, we'll follow the Debian way.
Now you can reboot. But be sure to have an easy access to you dom0, either physical, console, KVM or even network (never know). If you don't use bonding and /or don't have spare network device, you'll loose network access until you configured both OpenWRT and dom0 internal network.
In my case, I use bonding so it's easy to remove one card without loosing everything. I also have RS232 console access from another server. Just said "never know", hu ? :)
After reboot check
Don"t be suprised to see PCI device into dom0. It's not hidden but now under control of pciback driver. Kernel module which should have had control is sky2.
Yeah !, you're done. You can now configure OpenWRT so that it'll act as gatekeeper for you dom0 and other domU as well.