Xen project Mailing List

Re: [Xen-devel] [PATCH v4 00/10] Nested VMX: Add virtual EPT & VPID support to L1 VMM

To: Ian Jackson <Ian.Jackson@xxxxxxxxxxxxx>

From: "Nakajima, Jun" <jun.nakajima@xxxxxxxxx>

Date: Tue, 12 Feb 2013 09:54:16 -0800

Cc: keir@xxxxxxx, eddie.dong@xxxxxxxxx, tim@xxxxxxx, xen-devel@xxxxxxxxxxxxx, JBeulich@xxxxxxxx, Xiantao Zhang <xiantao.zhang@xxxxxxxxx>

Delivery-date: Tue, 12 Feb 2013 17:55:45 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

Xiantao Zhang writes ("[Xen-devel] [PATCH v4 00/10] Nested VMX: Add virtual EPT & VPID support to L1 VMM"):
> From: Zhang Xiantao <xiantao.zhang@xxxxxxxxx>
>
> With virtual EPT support, L1 hyerpvisor can use EPT hardware for L2 guest's memory virtualization.
> In this way, L2 guest's performance can be improved sharply.
> According to our testing, some benchmarks can show > 5x performance gain.

I'm no expert on the areas of code you're touching, so perhaps you've
already done this, but:

I think there may need to be some high-level knob to turn this feature
on and off (probably, for individual guests). This is because this
feature exposes a richer attack surface for guests (AFAICT). I know
there's already a feature check for nested HVM, but I wonder if that's
enough.

I agree that the feature does or can expose a richer attack surface for guests today. We need to set "nestedhvm" in the config ('false' by default) for each guest, to turn on the feature, as far as I know. I don't think we need a global switch like a boot parameter for Xen at this point.

Jun

Intel Open Source Technology Center

_______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel