[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH RFC v1 00/74] Run PV guest in PVH container

On Thu, Jan 4, 2018 at 1:05 PM, Wei Liu <wei.liu2@xxxxxxxxxx> wrote:
> Hi all
> This is a patch series to run PV guest inside a PVH container. The series is
> still in a very RFC state. We're aware that some code is not very clean yet 
> and
> in the process of cleaning things up.
> The series can be found at:
>     https://xenbits.xen.org/git-http/people/liuw/xen.git wip.pvshim-rfc-v1
> The basic idea can be found at page 15 of the slides at [0].
> This is a mitigation against one of the CPU vulnerabilities disclosed 
> recently.
> This series makes it possible to continue running untrusted PV guests.  Please
> refer to XSA-254 [1] for more information.
> Given the embargo lifted and vulnerabilities disclosed we opt to develop 
> openly
> on xen-devel. Feedback and testing is very welcome.
> The series is split into three parts: The first part is for the host that runs
> the shim, the second part is for the shim itself, the third part is for
> toolstack patches (not yet fully working). See the markers in the list of
> patches.
> Instructions on using the PV shim:
> 1. Git clone the branch and configure as one normally would.
> 2. A xen-shim binary would be built and installed into Xen's firmware
>    directory, along side hvmloader and co.
> 3. Use the hacky way currently provided in the first part of the series to
>    boot a PV guest inside a PVH container:
>    a. Append type='pvh' in your PV guest config file;
>    b. Export two environment variables so that libxl knows where to find
>       the shim and what to add to the shim's command line option.
>       # export LIBXL_PVSHIM_CMDLINE="pv-shim console=xen,pv loglvl=all 
> guest_loglvl=all apic_verbosity=debug e820-verbose sched=null"
> 4. xl create -c guest.cfg
> You should be able to see some Xen messages first and then guest kernel
> messages (the console= shim paramter is required).
> Known issues:
> 1. ARM build and some Clang build are broken by this series.
> 2. The host will see a lot over-allocation messages, nothing too harmful and
>    will be fixed once toolstack is ready.
> Wei.
> [0] 
> https://www.slideshare.net/xen_com_mgr/xpdds17-keynote-towards-a-configurable-and-slimmer-x86-hypervisor-wei-liu-citrix
> [1] https://xenbits.xen.org/xsa/advisory-254.html
> # Patches for the host:
> 448f56a363 x86/svm: Offer CPUID Faulting to AMD HVM guests as well
> 6a78c9ae33 x86: Common cpuid faulting support
> 05844fec44 x86/upcall: inject a spurious event after setting upcall vector
> fc7a48dd74 tools/libxc: initialise hvm loader elf log fd to get more logging
> 522c9cbaf0 tools/libxc: remove extraneous newline in xc_dom_load_acpi
> bd6b572b32 tools/libelf: fix elf notes check for PVH guest
> 449b932b0c tools/libxc: Multi modules support
> cc6dbdc0c1 libxl: Introduce hack to allow PVH mode to add a shim
> # Patches for the shim:
> 7dbc3f25f6 xen/x86: report domain id on cpuid

This is a host (L0) patch, isn't it?


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.