On 2017-11-10 at 16:39:27 +0100, Paolo Bonzini wrote:
> On 04/11/2017 17:54, Paolo Bonzini wrote:
> > On 04/11/2017 01:12, Yi Zhang wrote:
> >>>
> >> Adding Ravi,
> >>
> >> Does anyone have further comments on current implementation, it is a
> >> important feature in our next generation chip-set.
On 2017-11-10 at 16:39:27 +0100, Paolo Bonzini wrote:
> On 04/11/2017 17:54, Paolo Bonzini wrote:
> > On 04/11/2017 01:12, Yi Zhang wrote:
> >>>
> >> Adding Ravi,
> >>
> >> Does anyone have further comments on current implementation, it is a
> >> important feature in our next generation chip-set.
On 04/11/2017 17:54, Paolo Bonzini wrote:
> On 04/11/2017 01:12, Yi Zhang wrote:
>>>
>> Adding Ravi,
>>
>> Does anyone have further comments on current implementation, it is a
>> important feature in our next generation chip-set.
>
> What matters is not the feature, but the use case; without a
On 04/11/2017 17:54, Paolo Bonzini wrote:
> On 04/11/2017 01:12, Yi Zhang wrote:
>>>
>> Adding Ravi,
>>
>> Does anyone have further comments on current implementation, it is a
>> important feature in our next generation chip-set.
>
> What matters is not the feature, but the use case; without a
On 04/11/2017 01:12, Yi Zhang wrote:
>>
> Adding Ravi,
>
> Does anyone have further comments on current implementation, it is a
> important feature in our next generation chip-set.
What matters is not the feature, but the use case; without a use case,
there is no point in including code for SPP
On 04/11/2017 01:12, Yi Zhang wrote:
>>
> Adding Ravi,
>
> Does anyone have further comments on current implementation, it is a
> important feature in our next generation chip-set.
What matters is not the feature, but the use case; without a use case,
there is no point in including code for SPP
On 2017-10-14 at 07:11:28 +0800, Zhang Yi wrote:
> From: Zhang Yi Z
>
> Hi All,
>
> Here is a patch-series which adding EPT-Based Sub-page Write Protection
> Support. You can get It's software developer manuals from:
>
>
On 2017-10-14 at 07:11:28 +0800, Zhang Yi wrote:
> From: Zhang Yi Z
>
> Hi All,
>
> Here is a patch-series which adding EPT-Based Sub-page Write Protection
> Support. You can get It's software developer manuals from:
>
>
On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote:
> On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote:
> > Could you mind to provide more information and history about your
> > investigation?
>
> We are using VMI to secure certain parts of a guest kernel in memory
> (like prevent a certain data
On 2017-10-20 at 20:06:47 +0300, Mihai Donțu wrote:
> On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote:
> > Could you mind to provide more information and history about your
> > investigation?
>
> We are using VMI to secure certain parts of a guest kernel in memory
> (like prevent a certain data
On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote:
> On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote:
> > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> > > On 16/10/2017 02:08, Yi Zhang wrote:
> > > > > And the introspection facility by Mihai uses a completely
> > > > > different
On Fri, 2017-10-20 at 16:47 +0800, Yi Zhang wrote:
> On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote:
> > On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> > > On 16/10/2017 02:08, Yi Zhang wrote:
> > > > > And the introspection facility by Mihai uses a completely
> > > > > different
On 2017-10-19 at 13:57:12 +0200, Paolo Bonzini wrote:
>
> I would leave out the ioctl without a use case. It's always tricky to
> add APIs without a user, as the risk of bit rot is high. But if
> somebody comes up with a matching useful patch for QEMU or kvmtool, it's
> fine.
That's fine,
On 2017-10-19 at 13:57:12 +0200, Paolo Bonzini wrote:
>
> I would leave out the ioctl without a use case. It's always tricky to
> add APIs without a user, as the risk of bit rot is high. But if
> somebody comes up with a matching useful patch for QEMU or kvmtool, it's
> fine.
That's fine,
On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote:
> On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> > On 16/10/2017 02:08, Yi Zhang wrote:
> > > > And the introspection facility by Mihai uses a completely
> > > > different API for the introspector, based on sockets rather than ioctls.
On 2017-10-18 at 17:13:18 +0300, Mihai Donțu wrote:
> On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> > On 16/10/2017 02:08, Yi Zhang wrote:
> > > > And the introspection facility by Mihai uses a completely
> > > > different API for the introspector, based on sockets rather than ioctls.
On 18/10/2017 16:07, Yi Zhang wrote:
> On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
>>>
>>> Currently, We only block the write access, As far as I know an example,
>>> we now using it in a security daemon:
>>
>> Understood. However, I think QEMU is the wrong place to set this up.
>>
>>
On 18/10/2017 16:07, Yi Zhang wrote:
> On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
>>>
>>> Currently, We only block the write access, As far as I know an example,
>>> we now using it in a security daemon:
>>
>> Understood. However, I think QEMU is the wrong place to set this up.
>>
>>
On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> On 16/10/2017 02:08, Yi Zhang wrote:
> > > And the introspection facility by Mihai uses a completely
> > > different API for the introspector, based on sockets rather than ioctls.
> > > So I'm not sure this is the right API at all.
> >
> >
On Wed, 2017-10-18 at 11:35 +0200, Paolo Bonzini wrote:
> On 16/10/2017 02:08, Yi Zhang wrote:
> > > And the introspection facility by Mihai uses a completely
> > > different API for the introspector, based on sockets rather than ioctls.
> > > So I'm not sure this is the right API at all.
> >
> >
On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
> >
> > Currently, We only block the write access, As far as I know an example,
> > we now using it in a security daemon:
>
> Understood. However, I think QEMU is the wrong place to set this up.
>
> If the kernel wants to protect _itself_,
On 2017-10-18 at 11:35:12 +0200, Paolo Bonzini wrote:
> >
> > Currently, We only block the write access, As far as I know an example,
> > we now using it in a security daemon:
>
> Understood. However, I think QEMU is the wrong place to set this up.
>
> If the kernel wants to protect _itself_,
On 2017-10-18 at 00:09:36 -0700, Christoph Hellwig wrote:
> > We introduced 2 ioctls to let user application to set/get subpage write
> > protection bitmap per gfn, each gfn corresponds to a bitmap.
> > The user application, qemu, or some other security control daemon. will set
> > the
On 2017-10-18 at 00:09:36 -0700, Christoph Hellwig wrote:
> > We introduced 2 ioctls to let user application to set/get subpage write
> > protection bitmap per gfn, each gfn corresponds to a bitmap.
> > The user application, qemu, or some other security control daemon. will set
> > the
On 16/10/2017 02:08, Yi Zhang wrote:
>> And the introspection facility by Mihai uses a completely
>> different API for the introspector, based on sockets rather than ioctls.
>> So I'm not sure this is the right API at all.
>
> Currently, We only block the write access, As far as I know an
On 16/10/2017 02:08, Yi Zhang wrote:
>> And the introspection facility by Mihai uses a completely
>> different API for the introspector, based on sockets rather than ioctls.
>> So I'm not sure this is the right API at all.
>
> Currently, We only block the write access, As far as I know an
> We introduced 2 ioctls to let user application to set/get subpage write
> protection bitmap per gfn, each gfn corresponds to a bitmap.
> The user application, qemu, or some other security control daemon. will set
> the protection bitmap via this ioctl.
> the API defined as:
> struct
> We introduced 2 ioctls to let user application to set/get subpage write
> protection bitmap per gfn, each gfn corresponds to a bitmap.
> The user application, qemu, or some other security control daemon. will set
> the protection bitmap via this ioctl.
> the API defined as:
> struct
Thanks for your quick response Paolo.
On 2017-10-13 at 17:13:25 -0400, Paolo Bonzini wrote:
>
> > I'll ask before Paolo does: Can you please add kvm-unit-tests to
> > exercise all of this new code?
>
> More specifically it should be the api/ unit tests because this code
> can only be triggered
Thanks for your quick response Paolo.
On 2017-10-13 at 17:13:25 -0400, Paolo Bonzini wrote:
>
> > I'll ask before Paolo does: Can you please add kvm-unit-tests to
> > exercise all of this new code?
>
> More specifically it should be the api/ unit tests because this code
> can only be triggered
Thanks for your review Jim.
On 2017-10-13 at 09:57:45 -0700, Jim Mattson wrote:
> I'll ask before Paolo does: Can you please add kvm-unit-tests to
> exercise all of this new code?
it is should be a API/ioctl tools rather than a kvm-unit-test. Actually,
I have prepared a draft version of tools
Thanks for your review Jim.
On 2017-10-13 at 09:57:45 -0700, Jim Mattson wrote:
> I'll ask before Paolo does: Can you please add kvm-unit-tests to
> exercise all of this new code?
it is should be a API/ioctl tools rather than a kvm-unit-test. Actually,
I have prepared a draft version of tools
> I'll ask before Paolo does: Can you please add kvm-unit-tests to
> exercise all of this new code?
More specifically it should be the api/ unit tests because this code
can only be triggered by specific code in the host.
However, as things stand I'm not sure about how userspace would use it.
> I'll ask before Paolo does: Can you please add kvm-unit-tests to
> exercise all of this new code?
More specifically it should be the api/ unit tests because this code
can only be triggered by specific code in the host.
However, as things stand I'm not sure about how userspace would use it.
I'll ask before Paolo does: Can you please add kvm-unit-tests to
exercise all of this new code?
BTW, what generation of hardware do we need to exercise this code ourselves?
On Fri, Oct 13, 2017 at 4:11 PM, Zhang Yi wrote:
> From: Zhang Yi Z
I'll ask before Paolo does: Can you please add kvm-unit-tests to
exercise all of this new code?
BTW, what generation of hardware do we need to exercise this code ourselves?
On Fri, Oct 13, 2017 at 4:11 PM, Zhang Yi wrote:
> From: Zhang Yi Z
>
> Hi All,
>
> Here is a patch-series which adding
36 matches
Mail list logo