Xen project Mailing List

Re: [Xen-devel] [PATCH 00/22] Vixen: A PV-in-HVM shim

Date: Mon, 8 Jan 2018 11:54:57 +0000

Cc: Wei Liu <wei.liu2@xxxxxxxxxx>, Anthony Liguori <aliguori@xxxxxxxxxx>, KarimAllah Ahmed <karahmed@xxxxxxxxx>, Andrew Cooper <andrew.cooper3@xxxxxxxxxx>, Jan H. Schönherr <jschoenh@xxxxxxxxx>, Matt Wilson <msw@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx

Delivery-date: Mon, 08 Jan 2018 11:55:12 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

Hi Anthony On Sat, Jan 06, 2018 at 02:54:15PM -0800, Anthony Liguori wrote: > From: Anthony Liguori <aliguori@xxxxxxxxxx> > > CVE-2017-5754 is problematic for paravirtualized x86 domUs because it > appears to be very difficult to isolate the hypervisor's page tables > from PV domUs while maintaining ABI compatibility. Instead of trying > to make a KPTI-like approach work for Xen PV, it seems reasonable to > run a copy of Xen within an HVM (or PVH) domU to provide backwards > compatibility with guests as mentioned in XSA-254 [1]. > > This patch series adds a new mode to Xen called Vixen (Virtualized > Xen) which provides a PV-compatible interface while gaining > CVE-2017-5754 protection for the host provided by hardware > virtualization. Vixen supports running a single unprivileged PV > domain (a dom1) that is constructed by the dom0 domain builder. > > Please note the Xen page table configuration fundamental to the > current PV ABI makes it impossible for an operating system to mitigate > CVE-2017-5754 through mechanisms like Kernel Page Table Isolation > (KPTI). In order for an operating system to mitigate CVE-2017-5754 it > must run directly in a HVM or PVH domU. > > This series is very similar to the PVH series posted by Wei and we > have been discussing how to merge efforts. We were hoping to have > more time to work this out. I am posting this because I'm fairly > confident that this series is complete (all PV instances in EC2 are > using this) and others might find it useful. I also wanted to have > more of a discussion about the best way to merge and some of the > differences in designs. > > This series is also available at: > > git clone https://github.com/aliguori/xen.git vixen-upstream-v1 I do want to make the shim be able to run in both pvh and hvm mode (which doesn't seem to be too hard in practice). I suppose we need to: 1. Agree on the kconfig options. 2. Figure out what is needed for each mode and guard them accordingly. 3. Unify the implementation of hypercall forwarding and other internal code. I was sick last week so I'm a bit behind on everything (including the pvshim series, which has a lot of feedback now). I will read your series (v1, v2 and comments) shortly and hopefully I can figure out things by myself. Wei. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.