[Gllug] performance of xen dom0 vs native linux
Richard Jones
rich at annexia.org
Sun May 10 20:51:43 UTC 2009
On Sun, May 10, 2009 at 08:32:48PM +0100, Nix wrote:
> On 9 May 2009, Richard Jones said:
> > Have they solved the terrible security problems with VT-d yet?
>
> ?
The security issues with handing out devices to guests that you don't
trust are legion. The three main ones are: the guest can set PCI bus
parameters to values which lock up the bus, effectively crashing the
whole PC. The guest can do things which lock up the hardware (usually
because of bugs in the hardware that we try hard to hide when writing
normal device drivers). The big one is that guests can flash any BIOS
extension EPROMs on the peripheral. The trojaned BIOS code runs
completely unprotected in Ring 0 the next time the machine is booted,
and can basically do anything such as installing rootkits, overwriting
any block on disk etc.
So it's all good fun. Just don't enable it for your customers'
virtual machines.
Have they fixed these problems with VT-d? I don't know.
> (Is this why it's off by default in BIOSes?)
I've had a machine which can do VT-d sitting under my desk for over a
year, and I've never tried it out. So I don't even know if the BIOS
has a toggle for it ...
Rich.
--
Richard Jones
Red Hat
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list