[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Detecting whether dom0 is in a VM

  • To: George Dunlap <george.dunlap@xxxxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Fri, 7 Jul 2023 13:45:39 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xjLq5P5nC6V2RHzAV3Ba2MVBfctPT2FEJss+T23KNBE=; b=Vqk9pqcQ/trR+b/hYV95UReHCqfcucnbzl3SEJ/8W4YDxrlooBhWHqBpSIJJZU7STXECJ2bwgdaV/Q0roKleS+LpbKLeHap+VGCmD31UsbgsyayFSwU+Na+lqnb7ud1JxFoMzIRxmsoEhJXA0EkH+zTvOipla5LIdd9AgOhc40ccExSIKWIs8qdBz669WmDLu14emxkk/1SD6HGzXhIGYHiTSFTjIOaQnsDpgxv6H+0z2RrCOZvw5n4B8UyJjqu4HJokwZYYccxkdrMiCBimU4qB5CpvdcH3fo94pYCjnSMJ3soOfblttindZQoJKA2yCEnOGsT5NhQCQL1JLW17UQ==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XSzOvlE/IdgpWQKQ6hf++BsQVZBszl+nqJSDEHOiWsD0uTWjpMwOHH/LSbKzfvH3Gvs9GukwHZlSSkpSHkKDyCvU+4oM4wm4YHwYaeu7x2eTIbW2yptzHjDNsgY3fH/8rzgwfLtj2h3/gpeSOX3e1MoQxbqTkm9JNQQkUXo7rxfT2I3jrcWgn4f/ZwH43LedA5T27QXtJ63z6sfTop0NDvTdAR1MT6OEmLb6hrjpftwSxsnwWgXJ9EdfX80QoIf4Xxl6M1ZuaCwxNLD2Kuz6jfhr40LjLLEgiZ3/da0c1EwaHjj8rsHhribOcTUJAJEaeJRp4F11BefFbwc8B7jh+Q==
  • Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;
  • Cc: zithro <slack@xxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Fri, 07 Jul 2023 11:46:02 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 07.07.2023 12:16, Jan Beulich wrote:
> On 07.07.2023 11:52, George Dunlap wrote:
>> On Fri, Jul 7, 2023 at 9:00 AM Jan Beulich <jbeulich@xxxxxxxx> wrote:
>>
>>> On 06.07.2023 17:35, zithro wrote:
>>>> On 06 Jul 2023 09:02, Jan Beulich wrote:
>>>>> On 05.07.2023 18:20, zithro wrote:
>>>>>> So I'm wondering, isn't that path enough for correct detection ?
>>>>>> I mean, if "/sys/class/dmi/id/sys_vendor" reports Xen (or KVM, or any
>>>>>> other known hypervisor), it's nested, otherwise it's on hardware ?
>>>>>>
>>>>>> Is that really mandatory to use CPUID leaves ?
>>>>>
>>>>> Let me ask the other way around: In user mode code under a non-nested
>>>>> vs nested Xen, what would you be able to derive from CPUID? The
>>>>> "hypervisor" bit is going to be set in both cases. (All assuming you
>>>>> run on new enough hardware+Xen such that CPUID would be intercepted
>>>>> even for PV.)
>>>>
>>>> I'm a bit clueless about CPUID stuff, but if I understand correctly,
>>>> you're essentially saying that using CPUID may not be the perfect way ?
>>>> Also, I don't get why the cpuid command returns two different values,
>>>> depending on the -k switch :
>>>> # cpuid -l 0x40000000
>>>> hypervisor_id (0x40000000) = "\0\0\0\0\0\0\0\0\0\0\0\0"
>>>> # cpuid -k -l 0x40000000
>>>> hypervisor_id (0x40000000) = "XenVMMXenVMM"
>>>
>>> I'm afraid I can't comment on this without knowing what tool you're
>>> taking about. Neither of the two systems I checked have one of this
>>> name.
>>>
>>>>> Yet relying on DMI is fragile, too: Along the lines of
>>>>> https://lists.xen.org/archives/html/xen-devel/2022-01/msg00604.html
>>>>> basically any value in there could be "inherited" from the host (i.e.
>>>>> from the layer below, to be precise).
>>>>
>>>> So using "/sys/class/dmi/id/sys_vendor", or simply doing "dmesg | grep
>>>> DMI:" is also not perfect, as values can be inherited/spoofed by
>>>> underneath hypervisor ?
>>>
>>> That's my understanding, yes.
>>>
>>>>> The only way to be reasonably
>>>>> certain is to ask Xen about its view. The raw or host featuresets
>>>>> should give you this information, in the "mirror" of said respective
>>>>> CPUID leave's "hypervisor" bit.
>>>>
>>>> As said above, I'm clueless, can you expand please ?
>>>
>>> Xen's public interface offers access to the featuresets known / found /
>>> used by the hypervisor. See XEN_SYSCTL_get_cpu_featureset, accessible
>>> via xc_get_cpu_featureset().
>>>
>>
>> Are any of these exposed in dom0 via sysctl, or hypfs?
> 
> sysctl - yes (as the quoted name also says). hypfs no, afaict.
> 
>>  SYSCTLs are
>> unfortunately not stable interfaces, correct?  So it wouldn't be practical
>> for systemd to use them.
> 
> Indeed, neither sysctl-s nor the libxc interfaces are stable.

Thinking of it, xen-cpuid is a wrapper tool around those. They may want
to look at its output (and, if they want to use it, advise distros to
also package it), which I think we try to keep reasonably stable,
albeit without providing any guarantees.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.