|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH RFC v1 00/74] Run PV guest in PVH container
On Wed, Jan 10, 2018 at 04:26:07PM +0000, George Dunlap wrote: > On Thu, Jan 4, 2018 at 1:05 PM, Wei Liu <wei.liu2@xxxxxxxxxx> wrote: > > Hi all > > > > This is a patch series to run PV guest inside a PVH container. The series is > > still in a very RFC state. We're aware that some code is not very clean yet > > and > > in the process of cleaning things up. > > > > The series can be found at: > > > > https://xenbits.xen.org/git-http/people/liuw/xen.git wip.pvshim-rfc-v1 > > > > The basic idea can be found at page 15 of the slides at [0]. > > > > This is a mitigation against one of the CPU vulnerabilities disclosed > > recently. > > This series makes it possible to continue running untrusted PV guests. > > Please > > refer to XSA-254 [1] for more information. > > > > Given the embargo lifted and vulnerabilities disclosed we opt to develop > > openly > > on xen-devel. Feedback and testing is very welcome. > > > > The series is split into three parts: The first part is for the host that > > runs > > the shim, the second part is for the shim itself, the third part is for > > toolstack patches (not yet fully working). See the markers in the list of > > patches. > > > > Instructions on using the PV shim: > > > > 1. Git clone the branch and configure as one normally would. > > 2. A xen-shim binary would be built and installed into Xen's firmware > > directory, along side hvmloader and co. > > 3. Use the hacky way currently provided in the first part of the series to > > boot a PV guest inside a PVH container: > > a. Append type='pvh' in your PV guest config file; > > b. Export two environment variables so that libxl knows where to find > > the shim and what to add to the shim's command line option. > > # export LIBXL_PVSHIM_PATH=$PATH_TO_XEN_SHIM > > # export LIBXL_PVSHIM_CMDLINE="pv-shim console=xen,pv loglvl=all > > guest_loglvl=all apic_verbosity=debug e820-verbose sched=null" > > 4. xl create -c guest.cfg > > > > You should be able to see some Xen messages first and then guest kernel > > messages (the console= shim paramter is required). > > > > Known issues: > > > > 1. ARM build and some Clang build are broken by this series. > > 2. The host will see a lot over-allocation messages, nothing too harmful and > > will be fixed once toolstack is ready. > > > > Wei. > > > > [0] > > https://www.slideshare.net/xen_com_mgr/xpdds17-keynote-towards-a-configurable-and-slimmer-x86-hypervisor-wei-liu-citrix > > [1] https://xenbits.xen.org/xsa/advisory-254.html > > > > # Patches for the host: > > > > 448f56a363 x86/svm: Offer CPUID Faulting to AMD HVM guests as well > > 6a78c9ae33 x86: Common cpuid faulting support > > 05844fec44 x86/upcall: inject a spurious event after setting upcall vector > > fc7a48dd74 tools/libxc: initialise hvm loader elf log fd to get more logging > > 522c9cbaf0 tools/libxc: remove extraneous newline in xc_dom_load_acpi > > bd6b572b32 tools/libelf: fix elf notes check for PVH guest > > 449b932b0c tools/libxc: Multi modules support > > cc6dbdc0c1 libxl: Introduce hack to allow PVH mode to add a shim > > > > # Patches for the shim: > > > [snip] > > 7dbc3f25f6 xen/x86: report domain id on cpuid > > This is a host (L0) patch, isn't it? Yes it is. _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxxx https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |