[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detecting whether dom0 is in a VM

  • To: zithro <slack@xxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 6 Jul 2023 09:02:23 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BPe3zNBQ4lGBiaCq8dSmkN78oAZohVXDcdQYpgQrZ4E=; b=A4CSb1Bph+dD5zlyHmMqed+vn3dhNudT2fns60Fnqg3z0ZHWb/J43Hn3j4qGl/c33vKmyLei16uoHHlk8zmriBWLaYvVko73pBz5wBG0Q1nm86QQeU8WECO2mgxTPkPl/9QEk7Jh64hapHiq2jlZGw8r3B6am7+vEApURj0bG6BiBzjXqXCF4FuvRA1X8Z0JDadAlAGBnf4hE9G8W0qzT7gAyf6gIy2+NDXweTeW9tx0LDrMhXyNnzZ1FmQDkjFWBcoSxJ+Jk/LJIyvSO+xgyu91M2mo0CwsHmly1gy8ASNObKtq9rKDfsFXGlXT5QWEHm9BS4BlWuflqtiVIIFg6Q==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KMq7ACFRx5I5UkB7D2RlExeczLp6Y7HZxFkq1kU8VDHFDmxCtCh7KU4UXn5QfKwmZJ1lQJnqDJTSDaq4tc+LelFy1yZ0mEWINSxarMMNuyP3V2Q+Vpymtn/rtimXpl/3tEvYI1+Ip6IcZndLSil58nG10+4toojE7Lj7HitD64aDr4TS/3mnFRVGi1VOVcvC7azLoK7DGAI2SgyK96d8e+yF3AhD0ntsJyxFiyWH3G64j5zUMHaaUpejPe2Q7sbTFyN2vOfvhJPnpdOxEIgiI0BwmSMKBfd9teUm6jX7kYJm5OzXynKn6sDfh0zxWcXPUIu8ECCiBKn7UBX8UN/JOA==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx, George Dunlap <george.dunlap@xxxxxxxxx>
  • Delivery-date: Thu, 06 Jul 2023 07:02:45 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 05.07.2023 18:20, zithro wrote:
> On 05 Jul 2023 17:51, George Dunlap wrote:
>> Hey all,
>>
>> The following systemd issue was brought to my attention:
>>
>> https://github.com/systemd/systemd/issues/28113
>>
>> I think basically, they want `systemd-detect-virt` return the following
>> values:
>>
>> Xen on hardware, from a dom0:  `none`
>> Xen on hardware, from a domU: `xen`
>> Xen in a VM, from a dom0: (ideally the virtualization type, or `vm-other`
>> if not)
>> Xen in a VM, from a domU: `xen`
>>
>> Is there a reliable set of tests which would work across all dom0 guest
>> types / architectures?  If not, can we expose the information somehow?
>>
>>   -George
>>
> 
> Small follow-up, I did some more tests (AMD platforms).
> systemd-detect-virt (sdv) is using "/sys/class/dmi/id/sys_vendor".
> 
> On both "baremetal" dom0s, sdv is reporting the platform manufacturer 
> ("MSI" or "Micro-Star International Co., Ltd." on my systems).
> 
> On a nested dom0, sdv is reporting "xen" :
>    root@xen-nested:~# SYSTEMD_LOG_LEVEL=debug systemd-detect-virt
>    Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
>    Found container virtualization none.
>    Virtualization Xen found in DMI (/sys/class/dmi/id/sys_vendor)
>    Found VM virtualization xen
>    xen
> 
> PS: my host "xen-nested" is not masking CPUID leaves in cfg file.
> 
> So I'm wondering, isn't that path enough for correct detection ?
> I mean, if "/sys/class/dmi/id/sys_vendor" reports Xen (or KVM, or any 
> other known hypervisor), it's nested, otherwise it's on hardware ?
> 
> Is that really mandatory to use CPUID leaves ?

Let me ask the other way around: In user mode code under a non-nested
vs nested Xen, what would you be able to derive from CPUID? The
"hypervisor" bit is going to be set in both cases. (All assuming you
run on new enough hardware+Xen such that CPUID would be intercepted
even for PV.)

Yet relying on DMI is fragile, too: Along the lines of
https://lists.xen.org/archives/html/xen-devel/2022-01/msg00604.html
basically any value in there could be "inherited" from the host (i.e.
from the layer below, to be precise). The only way to be reasonably
certain is to ask Xen about its view. The raw or host featuresets
should give you this information, in the "mirror" of said respective
CPUID leave's "hypervisor" bit. But of course that still won't tell
you which _kind_ of hypervisor is the immediate next one underneath
Xen.

This then further raises the question of what use it is to know the
kind of the next level hypervisor, when multiple may be stacked on
top of one another ...

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.