>>> On 18.05.17 at 20:09, <sstabell...@kernel.org> wrote:
> On Mon, 15 May 2017, Wei Liu wrote:
>> On Sat, May 13, 2017 at 10:28:27AM +0800, Zhongze Liu wrote:
>> > Stefano wrote:
>> > "I think that in your scenario Xen (the hypervisor) wouldn't allow the
>> > first domain to be completely destroyed because it knows that its
>> > memory is still in use by something else in the system. The domain
>> > remains in a zombie state until the memory is not used anymore. We need
>> > to double-check this, but I don't think it will be a problem."
>> This has security implications -- a rogue guest can prevent the
>> destruction of the owner.
> We are going to use the same underlying hypervisor infrastructure, the
> end result should be no different than sharing memory via grant table
> from a security perspective. If not, then we need to fix Xen.
Yes and no. Improper use of grant table interfaces can lead to
this problem too. There the requirement is that all memory is
always owned (and granted foreign access to) by the frontend
drivers. I.e. there's a certain level of trust that backend behave
themselves. Similarly page ownership and direction of trust need
to be considered (and perhaps written down) here.
Xen-devel mailing list