Re: [qubes-devel] Difference between PVH and PVHVM

Sat, 16 Dec 2017 02:59:07 -0800 

On Mon, Dec 11, 2017 at 12:45:34PM -0500, Jean-Philippe Ouellet wrote:
> Marmarek or HW42 could probably give you better answers, but the
> following is my understanding:
> 
> The terminology is admittedly somewhat confusing, especially since Xen
> people no longer talk about a discrete set of virt modes but it's now
> thought of as more of a "spectrum".
> 
> Right now (R4-rc3) we are using a mode where memory management is
> handled by hardware (SLAT), but QEMU is still involved in domain init
> and provides device models for VMs which don't use PV drivers. The
> goal in the future is to eliminate QEMU entirely, but this requires
> kernel support which AFAIK deemed not mature enough the last time it
> was evaluated for use in Qubes. Various names have been used for this
> (and similar) virt mode at different points in time:
> PVH/PVHv2/HVMlite/etc. You can find more info on the Xen wiki and in
> various Xen developer summit presentation slides if you're so
> inclined.
> 
> The benefits to removing QEMU entirely are:
> 1) reduced attack surface (both because you can't exploit qemu to
> escalate privileges within the domain (relevant for VMs without
> passwordless sudo), as well as eliminating the PV hypervisor interface
> exposed to the *-dm domains)
> 2) decreased per-vm memory footprint (right now each running domain
> requires an additional ~140mb mem for its corresponding *-dm domain)
> 3) lower CPU overhead (right now each *-dm domain takes ~10-15% CPU,
> see #2849 [1], but even after fixing that there would still be some
> overhead)
> 
> Regards,
> Jean-Philippe
> 
> [1]: https://github.com/QubesOS/qubes-issues/issues/2849

is this a good enough write up to push this into qubes-doc.git so that
it doesnt get lost? :-)

+thanks for explaining, Jean-Philippe!


-- 
cheers,
        Holger

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-devel+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-devel@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-devel/20171216105812.d76pytl7dtar5bao%40layer-acht.org.
For more options, visit https://groups.google.com/d/optout.

Attachment: signature.asc
Description: PGP signature

Reply via email to