On 24 December 2015 08:00:01 GMT+00:00, Dragos Ruiu <d...@kyx.net> wrote: >Returning back to the discussion where I suggested it would be nice to >build >OS kernels that would fail deliberately when virtualized to close off >that >class of malware, especially on the new Intel Skylake chips that have >fixed >so many virtualization bugs that they can (reportedly) run VT inside VT >and >nest virtualization so efficiently you can virtualize ridiculous >numbers of >VMs even inside each other, with so little overhead and few >virtualization >artifacts that they are nearly undetectable when virtualized. There are at least two issues here.
First, some of us *want* to run OpenBSD in a virtualised environment, so there would have to be multiple code paths/sysctl to deal with this. Also, what you're asking for is very x86 specific. Second, it is simply not true that virtualisation is nearly undetectable. This is of course a moving target, but I'd be amazed if close examination of processor features made a VM undetectable. Mostly VMs go out of their way to let the guest OS know they're running in a VM, so paravirtual drivers can be used. The virtualised hardware has a passing relation to actual hardware. Taking the easy way out, insist on any server hardware being based on Nehalem or later chipsets, and you'd immediately block the use of Xen, KVM, and probably most other VMs. Until reasonably recently, a Xen HVM domU features a modern (post pentium 3) processor attached to a 440BX chipset. This is, of course, non existent in the real world. There are many, many other quirks that identify VMs, they do not make a serious effort to hide their presence. PK -
