On Sunday, 10/31/2021 at 02:52 GMT, "CAREY SCHUG" <[email protected]> wrote: > I don't know intel systems. I want to start running virtualization at home. So > I can simultaneously run Winblows, linux, BSD and open Solaris. Maybe a back > level linux, or some other specialized linux, as well as play with the original > linux (yggdrasyl) and windows 3.1. So containers won't do it.
Carey, I would suggest you look for a group focused on x86 virtualization to get their recommendations. They may suggest switching your "first level" OS to get the best result. Dunno. > Maybe I am wrong, but from what little I know about intel based viruses (not > Trojans), it seems that they will crack the hypervisor, not the guest. My > social network of linux sysprogs trustingly downloads virtualbox templates and > runs them without understanding. Several years ago I remember hearing of exploitation of a weaknesses in an x86-based hypervisor to act as a "sapper", drilling down through the hypervisor and coming up into another guest. I expect that of new hypervisors. It doesn't matter if it's type 1 or type 2. If you haven't been building hypervisors for 50 years, you're going to make some mistakes. That's the human element of the equation. > So I have questions like can a hypervisor "pass through" a usb to a virtual > machine without executing any code? On VM, at least in the old days, I could > define an address as "undefined" to the hypervisor, pass it to the guest and if > it contained a virus, only the guest would be affected. Of course, IBM was > smart enough to not just load code off of a random device and execute it in > privileged mode. I can't believe that Intel developers are that naive. Maybe > that is not true > > So I want to understand Intel virtualization to try to guess how secure it can > be made. It would be a lot easier and faster to learn how it works, if it was > explained in zVM terms (and compared with). The Intel architecture book I referenced in my previous post is your friend. To quote from volume 3: "Virtual-machine extensions [VMX] define processor-level support for virtual machines on IA-32 processors. Two principal classes of software are supported: • Virtual-machine monitors (VMM) — A VMM acts as a host and has full control of the processor(s) and other platform hardware. A VMM presents guest software (see next paragraph) with an abstraction of a virtual processor and allows it to execute directly on a logical processor. A VMM is able to retain selective control of processor resources, physical memory, interrupt management, and I/O. [This is the hypervisor.] • Guest software — Each virtual machine (VM) is a guest software environment that supports a stack consisting of operating system (OS) and application software. Each operates independently of other virtual machines and uses on the same interface to processor(s), memory, storage, graphics, and I/O provided by a physical platform. The software stack acts as if it were running on a platform with no VMM. Software executing in a virtual machine must operate with reduced privilege so that the VMM can retain control of platform resources." I think you would also be interested in Intel Virtualization Technology for Directed I/O Architecture Specification. It describes virtual I/O in more detail. Like we have on IBM Z, VMX supports - Emulation. That's the function that lets VM minidisks work. - Simulation. That's the function that gives you virtual unit record devices. - Assignment. This is like dedicating a disk or tape drive to a VM guest. - Sharing. This is like dedicating different subchannels on an OSA or FCP adapter, or virtual functions on a PCI adapter, to multiple guests. That's all in the architecture. To the extent that any particular VMM (hypervisor) supports all of the capabilities is a different conversation. Alan Altmark Senior Managing z/VM and Linux Consultant IBM Systems Lab Services IBM Z Delivery Practice ibm.com/systems/services/labservices office: 607.429.3323 mobile; 607.321.7556 [email protected] IBM Endicott ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO LINUX-390 or visit http://www2.marist.edu/htbin/wlvindex?LINUX-390
