Re: [Xen-users] guest kernel clarifications

[Tim Freeman <tfreeman@xxxxxxxxxxx>]

Thankyou 

On Mon, 20 Feb 2006 17:05:23 +0000
Mark Williamson <mark.williamson@xxxxxxxxxxxx> wrote:

> > In past Xen versions, setting a kernel to support privliged drivers or be a
> > priviliged domain (0) was a kernel config.  But driver domains are not
> > supported in Xen3 yet, as far as I understand.
> 
> They'll be back soonish - probably in 3.0.2, I believe.
> 
> > In Xen2, could a guest be booted with such a configured kernel but without
> > priviliges because domain 0 did not tell the domain builder it was OK? 
> 
> Yes.
> 
> > Someone recently told me in person that there was such a configuration. 
> > i.e., it was not only the kernel configuration but some other domain
> > building flag and both were required to make it happen?
> 
> Whether the guest knows how to access the privileged interfaces of Xen or 
> drive real devices (these are set in the kernel config) is orthogonal to 
> whether the guest is allowed to access those interfaces at runtime (these are 
> part of the domain config).
> 
> The domain building setting is the important one: an unprivileged domain just 
> *can't* see or access the real devices, no matter what its kernel contains.  
> A domain with device access is inherently more trusted.
> 
> It's perfectly safe to use a dom0 kernel in a domU with no devices, and have 
> Xen ensure the domU stays unprivileged.
> 
> Cheers,
> Mark
> 
> -- 
> Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
> Mark: To answer a question with a question: What use is a skateboard?
> Dave: Skateboards have wheels.
> Mark: My wheel has a wheel!
> 
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users
> 

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users