[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Publicity] Blog-post RFC: Hardening Xen against VENOM-style attacks



On Thu, 14 May 2015, George Dunlap wrote:
> On 05/14/2015 11:39 AM, Anil Madhavapeddy wrote:
> > Yeah... it's worth noting that unikernels like MirageOS or HaLVM never use 
> > the x86 device emulation and so require a far easier to audit hypervisor 
> > TCB that doesn't involve qemu.
> > 
> > Also, is it worth mentioning why the qemu stub domain isn't the default?  
> > Is it all compiled and installed in most of the hypervisor distributions on 
> > Ubuntu/CentOS/etc?  I don't think even XenServer uses qemu stub domains, 
> > although that might have changed in the recent release.
> 
> Well the main reason is that qemu-upstream doesn't work with stub
> domains yet.  Anthony worked on it for what, a year?  He got pretty far
> but there are just a lot of thorny issues to deal with.

To be fair, there are also other reasons: memory overhead, number of
domains doubling, and the additional complexity of having 2 QEMUs for
each domain (there is still one QEMU in Dom0 running for each guest,
although it just provides the PV backends).

_______________________________________________
Publicity mailing list
Publicity@xxxxxxxxxxxxxxxxxxxx
http://lists.xenproject.org/cgi-bin/mailman/listinfo/publicity


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.