Re: [Xen-devel] Xen 4.12.0 Dom0=pvh mode EFI variables 'not supported' after boot

Fri, 24 May 2019 11:12:33 -0700 

After upgrading Kernel to 5.1.4/release on an x86_64 server, Xen 4.12.0 Dom0 
successfully boots in PVH mode (dom0=pvh ...), with efi vars available so that 
efibootmgr functions,

        xl list
                Name                                        ID   Mem VCPUs      
State   Time(s)
                Domain-0                                     0  4015     4     
r-----     847.6
                Xenstore                                     1    31     1     
-b----       0.0

        dmesg | grep -i pvh
                [    0.181973] Booting paravirtualized kernel on Xen PVH

        efibootmgr
                BootCurrent: 0000
                Timeout: 1 seconds
                BootOrder: 0000,0002,0003
                Boot0000* xensvr 
HD(2,GPT,9711255e-d11d-31c5-88fe-1e164d4d4c95,0x1000,0x96000)/File(\EFI\OPENSUSE\GRUBX64.EFI)
                Boot0002* UEFI OS       
HD(2,GPT,9711255e-d11d-31c5-88fe-1e164d4d4c95,0x1000,0x96000)/File(\EFI\BOOT\BOOTX64.EFI)..BO
                Boot0003* UEFI: Built-in EFI Shell      
VenMedia(5126c8dc-e6a4-b3e9-a119-cf41345c9754)..BO

From

        
https://xenproject.org/2018/07/10/xen-project-hypervisor-4-11-brings-cleaner-architecture-to-hypervisor-core-technologies/

I understand that PVH Dom0 *removes* qemu dependency,

        "PVH Dom0 Reduces the Attack Surface of Xen Project Based Systems

        PVH combines the best of PV and HVM mode to simplify the interface 
between operating systems with Xen Project Support and the Xen Project 
Hypervisor and to reduce the attack surface of Xen Project Software. PVH guests 
are lightweight HVM guests that use hardware virtualization support for memory 
and privileged instructions. PVH does not require QEMU.

        Xen Project 4.11 adds experimental PVH Dom0 support by calling Xen via 
dom0=pvh on the command line. Running a PVH Dom0 removes approximately 1 
million lines of QEMU code from Xen Project’s computing base shrinking the 
attack surface of Xen Project based systems."

Checking, qemu is still resident,

        ps ax | grep qemu
                1895 ?        Sl     0:00 /usr/bin/qemu-system-i386 -xen-domid 
0 -xen-attach -name dom0 -nographic -M xenpv -daemonize -monitor /dev/null 
-serial /dev/null -parallel /dev/null -nodefaults -no-user-config -pidfile 
/var/run/xen/qemu-dom0.pid

Is this still expected?

If so, why the *i386* variant, not /usr/bin/qemu-system-x86_64?

If not, is there some additional config required to disable its use here?


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel

Reply via email to