[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v4 00/10] Nested VMX: Add virtual EPT & VPID support to L1 VMM



Nakajima, Jun writes ("Re: [Xen-devel] [PATCH v4 00/10] Nested VMX: Add virtual 
EPT & VPID support to L1 VMM"):
> I agree that the feature does or can expose a richer attack surface
> for guests today. We need to set "nestedhvm" in the config ('false'
> by default) for each guest, to turn on the feature, as far as I
> know. I don't think we need a global switch like a boot parameter
> for Xen at this point.

Yes, but my point was whether the "nestedhvm" switch is sufficient.
As I understand it nestedhvm with virtual EPT provides a richer attack
surface than without.  So the question is whether we should provide a
switch to disable virtual EPT while leaving nestedhvm enabled.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.