On Wed, Jan 14, 2009 at 5:04 PM, Boyer, William <[email protected]> wrote:
> We are attempting to create a baseline for our z/VM system and one of the > documents we are using states that DIAG98 should not be used and I would > like to understand a little more about DIAG98. Since part of your question was not answered yet... The DIAG98 option allows the virtual machine to use absolute addresses in some of its I/O and thus bypass CP checking and address translation. You only want to put that trust into virtual machine that is very well managed and runs software you trust. And it's a separate API so the software must be aware of that to exploit it. The VM TCP/IP stack is one of those (and it even requires the option). But you don't give it to just anyone. At some point there was discussion that Linux would be able to exploit it. Unlike with the VM TCP/IP stack, a Linux system could get compromised in that someone gets hold of root and in theory construct some program that exploits the API to view and/or modify data in z/VM memory. You'll have to make the decision yourself. With the current networking options for Linux, I don't think DIAG98 is an issue anymore. Rob -- Rob van der Heij Velocity Software http://www.velocitysoftware.com/
