[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [Xen-devel] [PATCH v2 00/23] Vixen: A PV-in-HVM shim
From: Anthony Liguori <aliguori@xxxxxxxxxx> CVE-2017-5754 is problematic for paravirtualized x86 domUs because it appears to be very difficult to isolate the hypervisor's page tables from PV domUs while maintaining ABI compatibility. Instead of trying to make a KPTI-like approach work for Xen PV, it seems reasonable to run a copy of Xen within an HVM (or PVH) domU to provide backwards compatibility with guests as mentioned in XSA-254 [1]. This patch series adds a new mode to Xen called Vixen (Virtualized Xen) which provides a PV-compatible interface while gaining CVE-2017-5754 protection for the host provided by hardware virtualization. Vixen supports running a single unprivileged PV domain (a dom1) that is constructed by the dom0 domain builder. Please note the Xen page table configuration fundamental to the current PV ABI makes it impossible for an operating system to mitigate CVE-2017-5754 through mechanisms like Kernel Page Table Isolation (KPTI). In order for an operating system to mitigate CVE-2017-5754 it must run directly in a HVM or PVH domU. This series is very similar to the PVH series posted by Wei and we have been discussing how to merge efforts. We were hoping to have more time to work this out. I am posting this because I'm fairly confident that this series is complete (all PV instances in EC2 are using this) and others might find it useful. I also wanted to have more of a discussion about the best way to merge and some of the differences in designs. This series is also available at: git clone https://github.com/aliguori/xen.git vixen-upstream-v2 Changelog: v1 -> v2 - fix ARM build - add vixen_domid command line parameter - make version pass through optional - pull in p2m mapping fix from sidewinder - panic if dom0_construct_pv fails - #defines for the vendor/device id of platform device - coding style for event channel polling - reserve even more in the e820 table based on hvm_info_table - moved shared info to special page range - make grant table frames come from special page range - refactor grant tables to use single dispatch function Not in this version: - Avoiding vixen domain == hardware domain Regards, Anthony Liguori [1] https://xenbits.xen.org/xsa/advisory-254.html _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
Lists.xenproject.org is hosted with RackSpace, monitoring our |