|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH 04/17] vmx: nest: domain and vcpu flags
On Thu, 2010-05-20 at 17:37 +0800, Tim Deegan wrote: > At 10:41 +0100 on 22 Apr (1271932876), Qing He wrote: > > Introduce a domain create flag to allow user to set availability > > of nested virtualization. > > The flag will be used to disable all reporting and function > > facilities, improving guest security. > > I have the same reservation about this as Christoph's patch: I don't > think this needs to be a create-time flag - there's no reason it can't > be enabled or disabled with a domctl after domain creation. I had seen the discussion before I posted this patch set. But I still put this flags here because there have been some people expressing security concerns, that in some situations, hardware virtualization needs to be explicitly disabled to avoid stealth VMM. This doesn't mean not reporting the feature, but disabling it altogether. By using domctl, you mean to put the flag in xenstore and let QEmu to do this? It looks good to me. > (And of course we'll want it to bve the same interface on both SVM > and VMX.) > Yeah, I just wanted to show my original intention. After discussion, we can use the same interface. Thanks, Qing _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |