WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags

from [Qing He] [Permanent Link][Original]
To: Tim Deegan <Tim.Deegan@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags
From: Qing He <qing.he@xxxxxxxxx>
Date: Thu, 20 May 2010 17:54:34 +0800
Cc: "xen-devel@xxxxxxxxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 20 May 2010 03:02:16 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20100520093753.GL4164@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <1271929289-18572-1-git-send-email-qing.he@xxxxxxxxx> <1271929289-18572-5-git-send-email-qing.he@xxxxxxxxx> <20100520093753.GL4164@xxxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.20 (2009-06-14) 
On Thu, 2010-05-20 at 17:37 +0800, Tim Deegan wrote:
> At 10:41 +0100 on 22 Apr (1271932876), Qing He wrote:
> > Introduce a domain create flag to allow user to set availability
> > of nested virtualization.
> > The flag will be used to disable all reporting and function
> > facilities, improving guest security.
> 
> I have the same reservation about this as Christoph's patch: I don't
> think this needs to be a create-time flag - there's no reason it can't
> be enabled or disabled with a domctl after domain creation.

I had seen the discussion before I posted this patch set.

But I still put this flags here because there have been some people
expressing security concerns, that in some situations, hardware
virtualization needs to be explicitly disabled to avoid stealth VMM.

This doesn't mean not reporting the feature, but disabling it
altogether.

By using domctl, you mean to put the flag in xenstore and let QEmu to do
this? It looks good to me.

> (And of course we'll want it to bve the same interface on both SVM
> and VMX.)
> 

Yeah, I just wanted to show my original intention. After discussion,
we can use the same interface.

Thanks,
Qing

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags, Christoph Egger
Next by Date:  Re: [Xen-devel] [PATCH 07/17] vmx: nest: handling VMX instruction exits, Tim Deegan
Previous by Thread:  Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags, Christoph Egger
Next by Thread:  Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags, Tim Deegan
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy