On 08/06/15 14:38, Stefano Stabellini wrote: >> Also device-mode/$domid/state is writable by QEMU so we can't trust >> > the content as indicator either. > We can because the write happens before we unpause the guest
Only when creating the domain fresh. On resume, the guest has possibly had the chance to code-inject via the qemu save format. There are many CVEs in this area, and I am not willing to be all of them are fixed. In XenServer, even loading VM state from the save file happens in the deprivilelged environment. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@lists.xen.org http://lists.xen.org/xen-devel