From mboxrd@z Thu Jan 1 00:00:00 1970 From: tgh Subject: Re: can I boot privilleged dom like dom0 via xm create Date: Sun, 29 Jun 2008 12:20:22 +0800 Message-ID: <48670D86.9040302@ncic.ac.cn> References: <4046dbfd0806130153s32bc7297l7d66ce7b6b3aa40a@mail.gmail.com> <617dbaa80806130302t29ff550dm6845b8f6829e5589@mail.gmail.com> <200806181831.13559.mark.williamson@cl.cam.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <200806181831.13559.mark.williamson@cl.cam.ac.uk> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Mark Williamson Cc: Derek.Murray@cl.cam.ac.uk, xen-devel@lists.xensource.com, ruby young List-Id: xen-devel@lists.xenproject.org hi I am interested in this issue, and I wonder wether we could manage=20 dom0 in xen architecture, that is ,to boot dom0, to reboot it ,to store=20 it ,or restore it ,while suspending domU in memory ,through some domctl=20 whenever necessary, or could we develop some new hypercall to make it=20 work ,or does xen architecture have some inherent limit in itself and=20 have no compatibility with this potential augment? and why not or=20 how to achieve it , could some one give some advise on it Thanks in advance =20 =20 Mark Williamson =E5=86=99=E9=81=93: > Ruby, > > Further to what Derek has said, I'd like to point out that what kernel = you use=20 > never affects the privilege of the guest. > > All the -xen0 kernel name means is that the kernel /can/ do dom0 stuff.= This=20 > is as opposed to a -xenU kernel, which has had the dom0 support removed= from=20 > it. Removing the dom0 support in a xenU kernel is done /only to make t= he=20 > kernel smaller/. It doesn't have any effect on security or privilege. > > Actually, most distributions seem to now supply one -xen kernel that is= used=20 > both in dom0 and domU. > > This is because, as Derek mentioned, Xen enforces the privileges of gue= sts=20 > itself and doesn't have to trust their kernels. This is different to h= ow=20 > User Mode Linux works, since in that system the kernel itself enforces = the=20 > virtual machine boundaries. You can securely run any kernel you want i= n a=20 > domU - even one supplied by the user - because Xen will contain it. > > Cheers, > Mark > > =20 >> At present, there is no way to do this with xm. In the hypervisor, >> each struct domain has an is_privileged attribute (which is at present >> only set when dom0 is created at boot). You could add a domctl to >> control the setting of this bit, and then write a small C program that >> uses do_domctl from libxc to set the privilege on a domain. >> >> However, simply running two privileged domains with parallel sets of >> Xen tools is unlikely to work, for example because you will end up >> with two instances of XenStore. >> >> Regards, >> >> Derek Murray. >> >> 2008/6/13 ruby young : >> =20 >>> Hi all, >>> I'm using vmlinuz-2.6.18-xen0 as domU kernel and I boot it via xm >>> create. But the kernel didn't panic, it's running but all of xen tool= s >>> can not work. I am surprised at this. >>> Now My question whether I can boot privilleged dom like dom0 via = xm >>> create ? and how can I do it? >>> I am looking forwards to your suggestions. >>> >>> Best wishes >>> >>> Ruby Young >>> >>> ---------------------------------------------------------------------= ---- >>> ---------------------------------------------------------------------= ----- >>> ------------------------------------------------ =E6=9D=A8=E6=BC=BE >>> =E5=8C=97=E4=BA=AC=E8=88=AA=E7=A9=BA=E8=88=AA=E5=A4=A9=E5=A4=A7=E5=AD= =A6=E8=AE=A1=E7=AE=97=E6=9C=BA=E5=AD=A6=E9=99=A2=E4=BD=93=E7=B3=BB=E7=BB=93= =E6=9E=84=E7=A0=94=E7=A9=B6=E6=89=80 >>> =E7=94=B5=E8=AF=9D:010-82338059-132 >>> =E9=82=AE=E4=BB=B6:9907yruby@gmail.com >>> =E5=9C=B0=E5=9D=80=EF=BC=9A=E5=8C=97=E4=BA=AC=E5=B8=82=E6=B5=B7=E6=B7= =80=E5=8C=BA=E5=AD=A6=E9=99=A2=E8=B7=AF37=E5=8F=B7=E5=8C=97=E4=BA=AC=E8=88= =AA=E7=A9=BA=E8=88=AA=E5=A4=A9=E5=A4=A7=E5=AD=A6=E6=96=B0=E4=B8=BB=E6=A5=BC= G=E5=BA=A71026 >>> ---------------------------------------------------------------------= ---- >>> ------- Yang Yang >>> Institute of Computer Architecture and System >>> BeiHang University=EF=BC=88BUAA=EF=BC=89 >>> Tel: (86-10)82338059-132 >>> Email: 9907yruby@gmail.com >>> Addr: Room 1026,Building G,The New Main Building,37# Xueyuan Rd.,Haid= ian >>> District, Beijing 100083, PRC >>> _______________________________________________ >>> Xen-devel mailing list >>> Xen-devel@lists.xensource.com >>> http://lists.xensource.com/xen-devel >>> =20 > > > > =20