From: Joerg Roedel <joerg.roedel@amd.com>
To: Alexander Graf <agraf@suse.de>
Cc: "kvm@vger.kernel.org" <kvm@vger.kernel.org>,
"joro@8bytes.org" <joro@8bytes.org>,
"anthony@codemonkey.ws" <anthony@codemonkey.ws>,
"avi@qumranet.com" <avi@qumranet.com>
Subject: Re: [PATCH 7/9] Add VMRUN handler v3
Date: Thu, 25 Sep 2008 19:37:46 +0200 [thread overview]
Message-ID: <20080925173746.GB27928@amd.com> (raw)
In-Reply-To: <319028FA-B559-44C0-BA7C-0A1AD96CDA52@suse.de>
On Thu, Sep 25, 2008 at 07:32:55PM +0200, Alexander Graf wrote:
> >This is a big security hole. With this we give the guest access to its
> >own VMCB. The guest can take over or crash the whole host machine by
> >rewriting its VMCB. We should be more selective what we save in the
> >hsave area.
>
> Oh, right. I didn't even think of a case where the nested guest would
> have acvess to the hsave of itself. Since the hsave can never be used
> twice on one vcpu, we could just allocate our own memory for the hsave
> in the vcpu context and leave the nested hsave empty.
I think we could also gain performance by only saving the important
parts of the VMCB and not the whole page.
Joerg
--
| AMD Saxony Limited Liability Company & Co. KG
Operating | Wilschdorfer Landstr. 101, 01109 Dresden, Germany
System | Register Court Dresden: HRA 4896
Research | General Partner authorized to represent:
Center | AMD Saxony LLC (Wilmington, Delaware, US)
| General Manager of AMD Saxony LLC: Dr. Hans-R. Deppe, Thomas McCoy
next prev parent reply other threads:[~2008-09-25 17:38 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-09-17 13:41 [PATCH 0/9] Add support for nested SVM (kernel) v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 1/9] Add CPUID feature flag for SVM v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 2/9] Clean up VINTR setting v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 3/9] Add helper functions for nested SVM v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 4/9] Implement GIF, clgi and stgi v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 5/9] Implement hsave v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 6/9] Add VMLOAD and VMSAVE handlers v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 7/9] Add VMRUN handler v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 8/9] Add VMEXIT handler and intercepts v3 Alexander Graf
2008-09-17 13:41 ` [PATCH 9/9] Allow setting the SVME bit v3 Alexander Graf
2008-09-19 15:59 ` [PATCH 7/9] Add VMRUN handler v3 Joerg Roedel
2008-09-25 17:32 ` Alexander Graf
2008-09-25 17:37 ` Joerg Roedel [this message]
2008-09-25 20:00 ` Alexander Graf
2008-09-25 21:22 ` joro
2008-09-27 12:59 ` Avi Kivity
2008-09-27 12:58 ` Avi Kivity
2008-09-25 18:47 ` [PATCH 4/9] Implement GIF, clgi and stgi v3 Joerg Roedel
2008-09-25 19:55 ` Alexander Graf
2008-09-25 21:27 ` Joerg Roedel
2008-09-26 9:01 ` Alexander Graf
2008-09-27 12:55 ` Avi Kivity
2008-09-27 12:52 ` Avi Kivity
2008-09-19 14:36 ` [PATCH 0/9] Add support for nested SVM (kernel) v3 Joerg Roedel
2008-09-19 14:39 ` Joerg Roedel
2008-09-19 15:56 ` Joerg Roedel
2008-10-15 17:07 ` Alexander Graf
2008-09-19 21:48 ` First performance numbers Joerg Roedel
2008-09-20 1:30 ` Avi Kivity
2008-09-20 6:55 ` Joerg Roedel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080925173746.GB27928@amd.com \
--to=joerg.roedel@amd.com \
--cc=agraf@suse.de \
--cc=anthony@codemonkey.ws \
--cc=avi@qumranet.com \
--cc=joro@8bytes.org \
--cc=kvm@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.