[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen

To: Demi Marie Obenour <demi@xxxxxxxxxxxxxxxxxxxxxx>, "Smith, Jackson" <rsmith@xxxxxxxxxxxxxxxxxxxxx>
From: Julien Grall <julien@xxxxxxx>
Date: Wed, 14 Dec 2022 14:06:09 +0000
Cc: "Brookes, Scott" <sbrookes@xxxxxxxxxxxxxxxxxxxxx>, Xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, "bertrand.marquis@xxxxxxx" <bertrand.marquis@xxxxxxx>, "jbeulich@xxxxxxxx" <jbeulich@xxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Roger Pau Monné <roger.pau@xxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, "Daniel P. Smith" <dpsmith@xxxxxxxxxxxxxxxxxxxx>, "christopher.w.clark@xxxxxxxxx" <christopher.w.clark@xxxxxxxxx>
Delivery-date: Wed, 14 Dec 2022 14:06:35 +0000
List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi,

On 13/12/2022 23:05, Julien Grall wrote: > On 13/12/2022 22:22, DemiMarie Obenour wrote:

On Tue, Dec 13, 2022 at 08:55:28PM +0000, Julien Grall wrote:

On 13/12/2022 19:48, Smith, Jackson wrote:
Hi Xen Developers,
Hi Jackson,
Thanks for sharing the prototype with the community. Somequestions/remarks
below.


[snip]

With this technique, we protect the integrity and confidentiality of
guest memory. However, a compromised hypervisor can still read/write
register state during traps, or refuse to schedule a guest, denying
service. We also recognize that because this technique precludes
modifying Xen's page tables after startup, it may not be compatible
with all of Xen's potential use cases. On the other hand, there are
some uses cases (in particular statically defined embedded systems)
where our technique could be adopted with minimal friction.


 From what you wrote, this sounds very much like the project Citrix and

Amazon worked on called "Secret-free hypervisor" with a twist. Inyour case,

you want to prevent the hypervisor to map/unmap the guest memory.

You can find some details in [1]. The code is x86 only, but I don'tsee any

major blocker to port it on arm64.


Is there any way the secret-free hypervisor code could be upstreamed?

This has been in my todo list for more than year but didn't yet findanyone to finish the work.

I need to have a look how much left the original work it is left to do.

I have looked at the series. It looks like there are only 16 patchesleft to be reviewed.

They are two years old but the code hasn't changed too much. So I willlook at porting them over the next few days and hopefully I can respinthe series before Christmas.


Cheers,
--
Julien Grall

References:
- [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Smith, Jackson
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Julien Grall
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Demi Marie Obenour
- Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
  - From: Julien Grall

Prev by Date: [PATCH] xen/arm: Allow to set grant table related limits for dom0less domUs
Next by Date: [xen-unstable-smoke test] 175199: regressions - FAIL
Previous by thread: Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
Next by thread: Re: [RFC 0/4] Adding Virtual Memory Fuses to Xen
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.