This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


RE: [Xense-devel] Shype/ACM for HVM guest.

To: "Stefan Berger" <stefanb@xxxxxxxxxx>
Subject: RE: [Xense-devel] Shype/ACM for HVM guest.
From: "Praveen Kushwaha" <praveen.kushwaha@xxxxxxxxxxx>
Date: Tue, 3 Apr 2007 15:12:56 +0530
Cc: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx, xense-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Tue, 03 Apr 2007 02:45:04 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xense-devel-request@lists.xensource.com?subject=help>
List-id: "A discussion list for those developing security enhancements for Xen." <xense-devel.lists.xensource.com>
List-post: <mailto:xense-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xense-devel>, <mailto:xense-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Acd1LXZ9qD4tpVJ6TuqlLgkzvz49WQApkP9g
Thread-topic: [Xense-devel] Shype/ACM for HVM guest.


             Yes that is fine if the paravirtualized drivers are used in HVM then we can put hooks on that. But it is different case, how actually shype/ACM works in case of VMExit/VMEntry.

              Since in case of VMExit/VMEntry there are no hypercalls, then how sHype/ACM implements security.

              I mean to ask that how sHype/ACM works in case of HVM guest.



Praveen Kushwaha







From: Stefan Berger [mailto:stefanb@xxxxxxxxxx]
Sent: Monday, April 02, 2007 7:19 PM
To: Praveen Kushwaha
Cc: xense-devel@xxxxxxxxxxxxxxxxxxx; xense-devel-bounces@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xense-devel] Shype/ACM for HVM guest.


xense-devel-bounces@xxxxxxxxxxxxxxxxxxx wrote on 04/02/2007 05:40:39 AM:

> Hi,

>             Does Shype/ACM architecture for implementing security in
> xen supports HVM guest also?  I mean to say that, as per my

HVM guests are supported in so far that the configuration of an HVM is checked when the VM is started. This is done in xend where resource assignments (disk access)  are validated.

> knowledge in xen 3.0.4         shype/ACM is implemented. Does this
> shype/ACM work also for the HVM (windows) guest?

>               As per my understanding shype/ACM puts hook on
> hypercalls from the hypervisor, and consult with the ACM. But in
> case of full virtualization, hypervisor does not have hypercalls to
> communicate with HVM guest. There is VMEntry/VMExit for

This is correct. Though, if paravirtualized drivers are used in an HVM, also they will need to go through the hooks for grant table access and event channels.


> communication, in which guest state and host state are saved.  Since
> there are no hypercalls  in case of full virtualization then how the
> actually shype/ACM works. Where does it put hooks? Or is there any
> other mechanism through which it implements security in HVM guest.

>       If any one has information regarding it  please reply.
> Thanks,
> Praveen Kushwaha
>  _______________________________________________
> Xense-devel mailing list
> Xense-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xense-devel

Xense-devel mailing list