Xen project Mailing List

Re: Detecting whether dom0 is in a VM

Date: Fri, 7 Jul 2023 10:00:37 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=AZt9J95B1jLLg0VPXssmA4UNBei3fffftqFrh1L7WPQ=; b=IgZmkc6FTHFCS7SVdnSWr3zWt/D5cm7/+Gdt7h3IQ9nVi9Y8jumZUkXwDZVffkaXZ/zZgARmhueXsR0oDo2ST+kHeq/t9PcwiLgrE2Ww6tXqJObXquWxUIFH0si4n3p/E9WrFQYGxNts/duD0A2GYGPhlsUNwgAQI7aCn4AZiKK0WCLm/UZSBwZ/iWq6iW2Xo/r3sP2xeKcU4LJTT5lDXCydNHbZlgtcdpUuyfM/iJiGDROwgJzKB3XnyZGpo8VBm1Ux/WL/5qXSny2Vdvb1VLXfm0qgq3BasY887ASIgWEByYMe2gbUlLB3fRvQG9402NkK0Bj4biFZ8YSmx12Czg==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DLnp8pQ3REuO4We5Ov7TyzO6a2v6eTOW5OyMnhMSDaACeSa+wEDS3HGGVV2FXaTge8anCtLYLOdBD0SbXq+yBUMIMlY/Dsl1Jf4fMRLPlsiHRsXMl3skF38d8Z0Jr0MySUgRiW4fUgM/KkLRW2atDN8w81m3BFNxLQuY0x61ikRUzEYT7eUELX5n1de7nGPEWaQfYB8rChHudDjhA2QFA2z2RCiPn6ulI3YIrogU1L0rXvxIyMStxg7jKLhbu6XDIh+zKrwgSrOkkUdeb3Ko344PIGknv2yVhc+CmxGOF/dxrwYHQf8ZnLv7c2wS6Pq5WoM8pw4kgoIeT+7H2/Pcnw==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: George Dunlap <george.dunlap@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Fri, 07 Jul 2023 08:01:01 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 06.07.2023 17:35, zithro wrote: > On 06 Jul 2023 09:02, Jan Beulich wrote: >> On 05.07.2023 18:20, zithro wrote: >>> So I'm wondering, isn't that path enough for correct detection ? >>> I mean, if "/sys/class/dmi/id/sys_vendor" reports Xen (or KVM, or any >>> other known hypervisor), it's nested, otherwise it's on hardware ? >>> >>> Is that really mandatory to use CPUID leaves ? >> >> Let me ask the other way around: In user mode code under a non-nested >> vs nested Xen, what would you be able to derive from CPUID? The >> "hypervisor" bit is going to be set in both cases. (All assuming you >> run on new enough hardware+Xen such that CPUID would be intercepted >> even for PV.) > > I'm a bit clueless about CPUID stuff, but if I understand correctly, > you're essentially saying that using CPUID may not be the perfect way ? > Also, I don't get why the cpuid command returns two different values, > depending on the -k switch : > # cpuid -l 0x40000000 > hypervisor_id (0x40000000) = "\0\0\0\0\0\0\0\0\0\0\0\0" > # cpuid -k -l 0x40000000 > hypervisor_id (0x40000000) = "XenVMMXenVMM" I'm afraid I can't comment on this without knowing what tool you're taking about. Neither of the two systems I checked have one of this name. >> Yet relying on DMI is fragile, too: Along the lines of >> https://lists.xen.org/archives/html/xen-devel/2022-01/msg00604.html >> basically any value in there could be "inherited" from the host (i.e. >> from the layer below, to be precise). > > So using "/sys/class/dmi/id/sys_vendor", or simply doing "dmesg | grep > DMI:" is also not perfect, as values can be inherited/spoofed by > underneath hypervisor ? That's my understanding, yes. >> The only way to be reasonably >> certain is to ask Xen about its view. The raw or host featuresets >> should give you this information, in the "mirror" of said respective >> CPUID leave's "hypervisor" bit. > > As said above, I'm clueless, can you expand please ? Xen's public interface offers access to the featuresets known / found / used by the hypervisor. See XEN_SYSCTL_get_cpu_featureset, accessible via xc_get_cpu_featureset(). Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.