From: Daniel Arai <arai@vmware.com>
To: Andi Kleen <ak@suse.de>
Cc: virtualization@lists.osdl.org, Zachary Amsden <zach@vmware.com>,
Linus Torvalds <torvalds@osdl.org>,
Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Xen-devel <xen-devel@lists.xensource.com>,
Andrew Morton <akpm@osdl.org>, Dan Hecht <dhecht@vmware.com>,
Anne Holler <anne@vmware.com>,
Pratap Subrahmanyam <pratap@vmware.com>,
Christopher Li <chrisl@vmware.com>,
Joshua LeVasseur <jtl@ira.uka.de>, Chris Wright <chrisw@osdl.org>,
Rik Van Riel <riel@redhat.com>, Jyothy Reddy <jreddy@vmware.com>,
Jack Lo <jlo@vmware.com>, Kip Macy <kmacy@fsmware.com>,
Jan Beulich <jbeulich@novell.com>,
Ky Srinivasan <ksrinivasan@novell.com>,
Wim Coekaerts <wim.coekaerts@oracle.com>,
Leendert van Doorn <leendert@watson.ibm.com>
Subject: Re: [RFC, PATCH 1/24] i386 Vmi documentation II
Date: Wed, 22 Mar 2006 14:43:08 -0800 [thread overview]
Message-ID: <4421D2FC.7000903@vmware.com> (raw)
In-Reply-To: <200603222239.46604.ak@suse.de>
Andi Kleen wrote:
>>There was one other point I wanted to make but I forgot it now @)
>
>
> Ah yes the point was that since most of the implementations of the hypercalls
> likely need fast access to some per CPU state. How would you plan
> to implement that? Should it be covered in the specification?
I can explain how it works, but it's deliberately not part of the specification.
The whole point of the ROM layer is that it abstracts away the actual hypercall
mechanism for the guest, and the hypervisor can implement whatever is
appropriate for it. This layer allows a VMI guest to run on VMware's
hypervisor, as well as on top of Xen.
We reserve the top 64MB of linear address space for the hypervisor.
Part of this reserved space contains data structures that are shared by the VMI
ROM layer and the hypervisor. Simple VMI interface calls like "read CR 2" are
implemented by reading or writing data from this shared data structure, and
don't require a privilege level change. Things like page table updates go into
a queue in the shared area, so they can easily be batched and processed with
only one actual call into the hypervisor.
Because the guest can manipulate this data page directly, the hypervisor has to
treat any information in it as untrusted. This is similar to how the kernel has
to treat syscall arguments. Guest user code can't touch the shared area, so it
doesn't introduce any new kernel security holes. The guest kernel could
deliberately mess up the shared area contents, but guest kernel code could
corrupt any arbitrary (virtual) machine state anyway.
Because this level of interface is hidden from the guest, we can (and do) make
changes to it without changing VMI itself, or needing to recompile the guest.
We deliberately do not document it. A guest that adheres to the VMI interface
can move to new versions of the ROM/hypervisor interface (that implement the
same VMI interface) without changes.
Dan.
next prev parent reply other threads:[~2006-03-22 22:43 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200603131759.k2DHxeep005627@zach-dev.vmware.com>
[not found] ` <20060313224902.GD12807@sorel.sous-sol.org>
2006-03-14 0:00 ` [RFC, PATCH 1/24] i386 Vmi documentation Zachary Amsden
2006-03-14 21:27 ` Chris Wright
[not found] ` <441743BD.1070108@vmware.com>
2006-03-15 2:57 ` Chris Wright
2006-03-15 5:44 ` Zachary Amsden
2006-03-15 22:56 ` Daniel Arai
2006-03-16 1:16 ` Chris Wright
2006-03-16 3:40 ` Eli Collins
2006-03-14 4:11 ` Rik van Riel
2006-03-22 20:05 ` Andi Kleen
2006-03-22 21:34 ` Chris Wright
2006-03-22 21:13 ` Andi Kleen
2006-03-22 21:57 ` Chris Wright
2006-03-23 0:06 ` Zachary Amsden
2006-03-22 21:39 ` [RFC, PATCH 1/24] i386 Vmi documentation II Andi Kleen
2006-03-22 22:43 ` Daniel Arai [this message]
2006-03-22 22:45 ` Zachary Amsden
2006-03-22 22:38 ` Andi Kleen
2006-03-22 23:54 ` Zachary Amsden
2006-03-22 23:37 ` Andi Kleen
2006-03-22 22:04 ` [RFC, PATCH 1/24] i386 Vmi documentation Zachary Amsden
2006-03-22 21:58 ` Andi Kleen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4421D2FC.7000903@vmware.com \
--to=arai@vmware.com \
--cc=ak@suse.de \
--cc=akpm@osdl.org \
--cc=anne@vmware.com \
--cc=chrisl@vmware.com \
--cc=chrisw@osdl.org \
--cc=dhecht@vmware.com \
--cc=jbeulich@novell.com \
--cc=jlo@vmware.com \
--cc=jreddy@vmware.com \
--cc=jtl@ira.uka.de \
--cc=kmacy@fsmware.com \
--cc=ksrinivasan@novell.com \
--cc=leendert@watson.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pratap@vmware.com \
--cc=riel@redhat.com \
--cc=torvalds@osdl.org \
--cc=virtualization@lists.osdl.org \
--cc=wim.coekaerts@oracle.com \
--cc=xen-devel@lists.xensource.com \
--cc=zach@vmware.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox