[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] create shadow pages
2010/11/5 Tim Deegan <Tim.Deegan@xxxxxxxxxx>
If I put the security code out-of-vm, the overhead is not satisfactory.
Otherwise you I use the SPT to obtain security effect and the overhead is also small. I would disable EPT. When putting the security code in-vm, I further use the VT-d technology, CR3_TARGET_LIST to decrease the overhead. As we know, when processes switch, it would update CR3, and so trap into xen, which bring up a lot of overhead. But after we write the value of CR3 into the CR3_TARGET_LIST, it would not trap into xen when process switch. So I would create another address space to put the security code and put the address of its shadow page into CR3_TARGET_LIST. (when you have time, please take look at the paper in attachment, thx)
Do you mean when the hvm domain is created, its shadow page for the kernel is built already? I thought spt is empty first, but when we access the kernel space, the spt entry is built for it. Am I right? - all you need to do is modify guest_walk_tables to add the _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxxxxxxxx http://lists.xensource.com/xen-devel
|
![]() |
Lists.xenproject.org is hosted with RackSpace, monitoring our |