Re: can I boot privilleged dom like dom0 via xm create

[tgh <tianguanhua@ncic.ac.cn>]

hi
  I am interested in this issue, and I wonder wether we could manage 
dom0 in xen architecture, that is ,to boot dom0, to reboot it ,to store 
it ,or restore it ,while suspending domU in memory ,through some domctl 
whenever necessary, or could we develop some new hypercall to make it 
work ,or does xen architecture have some inherent limit in itself and 
have no compatibility  with  this  potential augment? and why not  or 
how to achieve it , could some one give some advise on it

Thanks in advance

 
 




Mark Williamson 写道:
> Ruby,
>
> Further to what Derek has said, I'd like to point out that what kernel you use 
> never affects the privilege of the guest.
>
> All the -xen0 kernel name means is that the kernel /can/ do dom0 stuff.  This 
> is as opposed to a -xenU kernel, which has had the dom0 support removed from 
> it.  Removing the dom0 support in a xenU kernel is done /only to make the 
> kernel smaller/.  It doesn't have any effect on security or privilege.
>
> Actually, most distributions seem to now supply one -xen kernel that is used 
> both in dom0 and domU.
>
> This is because, as Derek mentioned, Xen enforces the privileges of guests 
> itself and doesn't have to trust their kernels.  This is different to how 
> User Mode Linux works, since in that system the kernel itself enforces the 
> virtual machine boundaries.  You can securely run any kernel you want in a 
> domU - even one supplied by the user - because Xen will contain it.
>
> Cheers,
> Mark
>
>   
>> At present, there is no way to do this with xm. In the hypervisor,
>> each struct domain has an is_privileged attribute (which is at present
>> only set when dom0 is created at boot). You could add a domctl to
>> control the setting of this bit, and then write a small C program that
>> uses do_domctl from libxc to set the privilege on a domain.
>>
>> However, simply running two privileged domains with parallel sets of
>> Xen tools is unlikely to work, for example because you will end up
>> with two instances of XenStore.
>>
>> Regards,
>>
>> Derek Murray.
>>
>> 2008/6/13 ruby young <yangyang@les.buaa.edu.cn>:
>>     
>>> Hi all,
>>>     I'm using vmlinuz-2.6.18-xen0 as domU kernel and I boot it via xm
>>> create. But the kernel didn't panic, it's running but all of xen tools
>>> can not work. I am surprised at this.
>>>     Now My question whether I can boot privilleged dom like dom0 via xm
>>> create ? and how can I do it?
>>>     I am looking forwards to your suggestions.
>>>
>>> Best wishes
>>>
>>>                                       Ruby Young
>>>
>>> -------------------------------------------------------------------------
>>> --------------------------------------------------------------------------
>>> ------------------------------------------------ 杨漾
>>> 北京航空航天大学计算机学院体系结构研究所
>>> 电话:010-82338059-132
>>> 邮件:9907yruby@gmail.com
>>> 地址：北京市海淀区学院路37号北京航空航天大学新主楼 G座1026
>>> -------------------------------------------------------------------------
>>> ------- Yang Yang
>>> Institute of Computer Architecture and System
>>> BeiHang University（BUAA）
>>> Tel: (86-10)82338059-132
>>> Email: 9907yruby@gmail.com
>>> Addr: Room 1026,Building G,The New Main Building,37# Xueyuan Rd.,Haidian
>>> District, Beijing 100083, PRC
>>> _______________________________________________
>>> Xen-devel mailing list
>>> Xen-devel@lists.xensource.com
>>> http://lists.xensource.com/xen-devel
>>>       
>
>
>
>