Re: [Publicity] Blog-post RFC: Hardening Xen against VENOM-style attacks

[Ian Campbell <ian.campbell@xxxxxxxxxx>]

On Thu, 2015-05-14 at 11:54 +0100, George Dunlap wrote:
> On 05/14/2015 11:39 AM, Anil Madhavapeddy wrote:
> > Yeah... it's worth noting that unikernels like MirageOS or HaLVM never use 
> > the x86 device emulation and so require a far easier to audit hypervisor 
> > TCB that doesn't involve qemu.
> > 
> > Also, is it worth mentioning why the qemu stub domain isn't the default?  
> > Is it all compiled and installed in most of the hypervisor distributions on 
> > Ubuntu/CentOS/etc?  I don't think even XenServer uses qemu stub domains, 
> > although that might have changed in the recent release.
> 
> Well the main reason is that qemu-upstream doesn't work with stub
> domains yet.  Anthony worked on it for what, a year?  He got pretty far
> but there are just a lot of thorny issues to deal with.

AIUI Wei had something mostly working (at least the basics) with
rumpkernels earlier this year. 


_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity