First my apologies. I thought I was replying privately to Bill, whom I knew from SHARE and VM Workshops. Maybe he doesn't remember me, but... I didn't think my question was really appropriate for a linux-390 list serve, but must have fallen off of whatever the VM listserv is. I sometimes forget what when asked "reply to all or to sender" that "sender" means the list, and "all" means "original poster AND list", from which the list can then be deleted so as to reply only to the one who initiated the message..
I started my career programming banking applications in assembler, transitioned to performance analysis, at the machine code level, then spent many years as a VM systems programmer (with a brief sidetrack converting local ASSEMBLER mods in JES2 to exits) from VM rel6+SE through zVM. I found and fixed one CP code bug that IBM vetted and then distributed as an APAR, as well as one microcode bug (in the B224 privop) by sitting at the machine console placing hard address stops on memory write (turned out when I finally got the IBM rep to take my analysis, that IBM support already knew about it, the problem was when it trapped as a privop, it did not serialize, so if one had a long running instruction just before the B224, that would start executing in virtual address mode, then finish in real, causing a semi random overlay in the nucleus, which, some time later failed for not being a machine instruction. I know zVM virtualization, have run 3rd level machines, etc. I don't know intel systems. I want to start running virtualization at home. So I can simultaneously run Winblows, linux, BSD and open Solaris. Maybe a back level linux, or some other specialized linux, as well as play with the original linux (yggdrasyl) and windows 3.1. So containers won't do it. But all the documentation I have found is for people for whom C++ is as close as they come to the bare iron, or for those intimate with machine code. The former leaves me feeling "those trusting fools" and the latter leaves me lost. Maybe I am wrong, but from what little I know about intel based viruses (not Trojans), it seems that they will crack the hypervisor, not the guest. My social network of linux sysprogs trustingly downloads virtualbox templates and runs them without understanding. The one security conscious person I know (who is winblows only) installs a fresh copy of winblows from a thumbdrive for anything slighly risky (including receiving a usb drive from anybody, as he says to mount a thumb drive, the OS executes code off of it, which could contain a virus) on an isolated hardware. I'm hoping a good type 1, possibly qubes, could be almost as good without all the re installs. I could fire up a read only virtual machine, do whatever, then throw it away. Yes, I knew, sort of, about the original para-virtualizations, including when a few instructions didn't cause a state change so had to be searched for and replaced in memory, then later extensions to the hardware. Knew sort of, and dismissed virtualization as not worth it. Just recently read something about memory virtualization extensions (I think outside of the CPU?) that now allow some overcommittment of memory, since for decent performance, guest memory must be dedicated, like the old V=R area of 32 bit VM systems. So I have questions like can a hypervisor "pass through" a usb to a virtual machine without executing any code? On VM, at least in the old days, I could define an address as "undefined" to the hypervisor, pass it to the guest and if it contained a virus, only the guest would be affected. Of course, IBM was smart enough to not just load code off of a random device and execute it in privileged mode. I can't believe that Intel developers are that naive. Maybe that is not true So I want to understand Intel virtualization to try to guess how secure it can be made. It would be a lot easier and faster to learn how it works, if it was explained in zVM terms (and compared with). ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
