On 25.09.2008, at 19:37, Joerg Roedel wrote:
On Thu, Sep 25, 2008 at 07:32:55PM +0200, Alexander Graf wrote:
This is a big security hole. With this we give the guest access to
its
own VMCB. The guest can take over or crash the whole host machine by
rewriting its VMCB. We should be more selective what we save in the
hsave area.
Oh, right. I didn't even think of a case where the nested guest would
have acvess to the hsave of itself. Since the hsave can never be used
twice on one vcpu, we could just allocate our own memory for the
hsave
in the vcpu context and leave the nested hsave empty.
I think we could also gain performance by only saving the important
parts of the VMCB and not the whole page.
Is copying one page really that expensive? Is there any accelerated
function available for that that copies it with SSE or so? :-)
Alex
Joerg
--
| AMD Saxony Limited Liability Company & Co. KG
Operating | Wilschdorfer Landstr. 101, 01109 Dresden, Germany
System | Register Court Dresden: HRA 4896
Research | General Partner authorized to represent:
Center | AMD Saxony LLC (Wilmington, Delaware, US)
| General Manager of AMD Saxony LLC: Dr. Hans-R. Deppe,
Thomas McCoy
--
To unsubscribe from this list: send the line "unsubscribe kvm" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
