3D Accelerated Virtualized World Tours

The latest VirtualBox 2.1 release includes a new experimental\* high performance XGL driver for Windows guests. This makes it possible to run 3D applications like Google Earth in virtualized environments with excellent performance. I've previously blogged about running VirtualBox guests in labeled zones. But the new 3D capability is so amazing that you have to see it to believe it. Now I've made my first YouTube video, showing the system performance on my Toshiba M9 with 4GB of RAM. An instance of VirtualBox is running in each labeled zone, and an instance of Microsoft Vista is running in each VirtualBox. Each Vista instance is running Google Earth, at high speed using the virtual XGL driver included in the VirtualBox Guest Additions. 

I also uploaded a QuickTime version of this video to Sun's MediaCast web site which provides higher resolution than YouTube.

Since this is a security blog, it is important to mention that the network isolation provided by Trusted Extensions extends only as far as the Vista guests. The PUBLIC instance is connected to the public Internet, and the CONFIDENTIAL : INTERNAL USE ONLY instance in connected to Sun's Wide Area Network (SWAN) via the Cisco 3000 VPN. Although the remote VPN endpoint has been labeled CONFIDENTIAL : INTERNAL USE ONLY, neither the Cisco VPN server nor SWAN are label-aware, so the network isolation enforced by Trusted Extensions doesn't extend outside of SWAN. That's why the internal zone instance of Google Earth can connect to the PUBLIC  Google servers. The Windows VPN hides this traffic from the Solaris kernel.  In a classified environment, this would not be permitted.

For those trying this at home, I pulled out all the stops the get the best performance. I used UNIX domain sockets instead of TCP for X11, and I ran the demo several times to get the images into the cache. Otherwise this ran on the official releases of OpenSolaris 2008.11 and VirtualBox 2.1.

\* see user manual, chapter 4.8, Hardware 3D acceleration (OpenGL), page 66)


Comments:

Hi,

Very interesting entry on using MAC with openGL.

Could you comment on whether the path for data used by the openGL transport would be in violation of the security target used EAL4+ status of solaris with trusted extensions.

Also, would this in principle work with Sun Shared Visualization server, to allow remote openGL acceleration of windows hosts.

Regards

Chris

Posted by Chris Bull on May 13, 2009 at 12:23 AM PDT #

The path used for openGL is consistent with the EAL4+ evaluation. The X11 server correctly manages shared memory segments from labeled zones, and prevents rendering or viewing into pixmaps owned by clients in other zones or with other user IDs.

Shared Visualization is more complex is is not included in the evaluation.

Posted by Glenn Faden on September 26, 2009 at 07:37 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks