On 2012-06-07 11:55, Abel Gordon wrote: > Security holes: not if you are OK with the threat model we describe in the > paper
Back to this: I don't get your threat model completely. How should the guest be able to manipulate the shadow IDT if we a) mark it read-only in the host's page table that maps the guest physical memory and b) prevent via the IOMMU that any assigned devices can address this page via DMA? But even if we consider the IDT unsafe, what does that IDT limiting buy us? The guest can still mask interrupts above that limit via cli, no? Also, unless I misunderstood your suggestions, I wouldn't try to run normal interrupt handlers in NMI context. That's asking for lots of troubles or lots of code changes. So the only measures that save us from CPU hogging guests are the preemption timer and kicking via NMI. Or what am I missing? Jan
signature.asc
Description: OpenPGP digital signature
