[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Possible to prevent dom0 accessing guest memory?



On 14/11/16 14:51, Andy Smith wrote:
> Hello,
>
> Please forgive me if this is a naive question but I do not know this
> low-level stuff very well.
>
> If the ability of the toolstack to dump a guest's memory (e.g. xl
> dump-core) were disabled on the hypervisor side, would there be any
> other way to do so from dom0 without rebooting the machine into a
> hypervisor that had the capability re-enabled?
>
> I understand dom0 has privileges to map devices to guests; does that
> give it a way to read arbitrary memory without need of toolstack
> support?
>
> The purpose of my question is in seeing if disk encryption in VMs
> can be made slightly more useful. If there were no way for root in
> dom0 to read guest memory without rebooting into a different
> hypervisor then I think that would be a useful step.

You have misunderstood a step.

Dom0 can map all of guest memory.  This is how `xl dump-core` is
implemented, as well as how Qemu emulates devices for the guest.

However, it is also a strict requirement for Dom0 to construct the
domain in the first place, so you can't simply disable it in the
hypervisor and end up with a working system.

Even if it were possible to exclude this in Xen, Dom0 by default has a
number of powers which can alter hypervisor code, such as loading a
crash kernel or a livepatch.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.