On Tue, Jan 16, 2018 at 05:28:40PM +0000, Andy Smith wrote: > Hi Jan, > > On Tue, Jan 16, 2018 at 08:21:52AM -0700, Jan Beulich wrote: > > This is a very simplistic change limiting the amount of memory a running > > 64-bit PV guest has mapped (and hence available for attacking): Only the > > mappings of stack, IDT, and TSS are being cloned from the direct map > > into per-CPU page tables. > > Can this be used with Comet/Vixen to further protect PV guests? i.e. > if the shim hypervisor has these changes then will it also limit > what a process in the PV guest can see in that shim hypervisor, > which therefore protects its own guest kernel a bit too? >
Yes, but please be warned that the guest is very very slow. I don't think XPTI + shim is very usable at this stage. If you're interested in trying that out, check out staging branch and build a shim from there. Wei. _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
