[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Alternate p2m design specification



On 10/06/15 01:09, Ed White wrote:
> This document describes a new capability for VM Introspection, Security and 
> Privacy in Xen. The new capability is called âaltp2mâ (short for Alternate 
> p2m) that is used to provide the ability for Xen to host alternate guest 
> physical memory domains for a specific guest-domain. This document describes 
> the overall design specific to Xen for your review and feedback.

This is a very thorough description, and everything here seems in order.

A couple of remarks,

> The altp2m functionality allows the capability to be used via an agent 
> operating in an HVM guest or alternately an agent operating in a separate 
> privileged domain. For cross domain operation, an XSM hook is defined such 
> that the administrator can define a policy for inter-domain VM introspection.

There should be an interlock to prevent both an internal and external
entity from actually being able to use the altp2m infrastructure.

Nothing good can come of an uncoordinated attempt like this, whereas a
coordinated use would already have to be communicating far more than the
hypercalls themselves would allow.


Also, hardware accelerated altp2m is mutually exclusive with EPT PML, as
we have no way of determining which translation was in use when a gpa
was appended to the buffer.  We are going to have to maintain a feature
compatibility matrix.  Even for non-accelerated altp2m, the cost of
working out the real gpa is likely prohibitive, and we should probably
resort to declaring logdirty and altp2m as exclusive features.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.