|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] reserve e820 ram
Hi, At 12:22 +0100 on 11 Apr (1334146973), Francisco Rocha wrote: > This part is working. > > I am able to reserve a range of memory and boot a HVM guest > that uses pages from that range. The problem is when I try > to restrict dom0 from accessing does pages, it fails in allocating > the memory to the guest. Doe sit fail in allocating the memory or in populating it? Dom0 has to map the new domain's memory to put the BIOs and firmware in before it boots. > Is get_page_from_l1e always called by dom0? get_page_from_l1e is called for any pagetables entry (PV or shadowed HVM) that maps a page of memory. So it will be called when dom0 triues to map the memory. > Can a guest run when dom0 is restricted from > accessing its memory? I would only want to restrict access > for certain operations. Dom0 maps domU's memory three times: Once (by force) to populate the BIOS &C at buid time. In Qemu (again, by force) to emulate domU's hardware. In the PV backend drivers (using the grant tables) for block & net I/O. You can handle the build-time map by allowing them and the making sure they all get pulled down before the domain is unpaused for the first time (Or by having a separate trusted/privileged builder domain that does nothing but build domains). You can handle the second by using stub domains to run qemu in a different domain, or by only usoing PV domUs. The third is pretty much a requirement if the domU's going to do any I/O via dom0, but at least with grant tables the ACL is under domU's control. Or if you have an IOMMU you can give the domU direct access to its own network card and disk controller. Cheers, Tim. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |