-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Dec 04, 2016 at 11:19:41PM -0800, Vít Šesták wrote: > I am interested about the implications of using HVMs. I know about the > introduced need of some CPU features, some changes under-the-hood and > potentiially better compatibility. But I am interested in some others: > > 1. What will change about performance and memory-usage > characteristics? I believe there will be just small (and maybe even > positive) performance difference for CPU/RAM-related tasks. The > difference for I/O will probably be rather low if any. There might be > some differences for PCI latency, but I am unsure about them. Start of > a VM will probably take slightly longer, because of the need of the > stubdom. RAM usage will be also somewhat (how much?) higher because of > the stubdom.
Your intuition is right. As for memory usage, stubdomain use about 50MB, so not that much... > 2. Security implications. When attacker has a QEMU 0day, HVM fails as > a counter-measure against PV-related vulnerabilities. In such case, > the attack scenario is even larger (both PV-only and HVM-only Xen > vulnerabilities can be used). We'll make this stubdomain as limited as possible, but still, some things are unavoidable. > I remember you mentioned an idea about > killing the stubdom in an early phase of the boot (probably even > before mounting /rw), which would somehow mitigate some (most?) > attacks. As a nice side-effect, it would also lower the memory usage. > What's the current state of this countermeasure? That would be nice indeed, but we haven't tried it yet. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJYRT2OAAoJENuP0xzK19cscpgH/2ziwG+QSxaObKw33oJAUXOm C3aNNKFQSHh3QqP6TQaGksmB1dOlGH5hGW606U+iA83K/oDBJ1BlegdO5HzY5SYh JWAoMK9/nRpw5bCoYkJtOmFpzBcI3YCIV0SfWu80kEj9Ihszg6qOBmzo/og7eUtl 9RSO5OWYI9Jso1o8bxVvcUdiSr8M+GR1rc5bBQlyza5GwGV/SOXXOMWPekDijggh aUXZTq8aiVsZ65QsnXn3OjsJp3ptftsPWzxpWwMrimNNsn0D+6U8syUC7epNBnCI 4m/77bjBOo0Xfq5HEzCCfwMndrm++GqBpr2grCPkEFE6HSaLuoa2oNlphXk9Ls0= =i2ru -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To post to this group, send email to qubes-devel@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20161205101228.GW1145%40mail-itl. For more options, visit https://groups.google.com/d/optout.