>>> On 08.04.16 at 18:15, wrote:
> On 04/04/2016 09:01 PM, Konrad Rzeszutek Wilk wrote:
>> I was all for "old_code to check against" but that would incur quite a lot
>> of implementation. The 'stacking' (suggested by Martin) is much easier
>> to implement. I am hoping that in next major milestone
On 04/04/2016 09:01 PM, Konrad Rzeszutek Wilk wrote:
On Mon, Apr 04, 2016 at 09:00:00AM -0600, Jan Beulich wrote:
On 24.03.16 at 21:00, wrote:
@@ -929,6 +932,33 @@ being loaded and requires an hypervisor build-id to match
against.
The old code allows much more flexibility and an additional
>>> Konrad Rzeszutek Wilk 04/06/16 10:05 PM >>>
>> > --- a/xen/include/xen/version.h
>> > +++ b/xen/include/xen/version.h
>> > @@ -17,4 +17,7 @@ const char *xen_deny(void);
>> > #include
>> > int xen_build_id(const void **p, unsigned int *len);
>> >
>> > +#include
>> > +int xen_build_id_chec
> > --- a/xen/include/xen/version.h
> > +++ b/xen/include/xen/version.h
> > @@ -17,4 +17,7 @@ const char *xen_deny(void);
> > #include
> > int xen_build_id(const void **p, unsigned int *len);
> >
> > +#include
> > +int xen_build_id_check(const Elf_Note *n, const void **p, unsigned int
> > *l
>>> On 04.04.16 at 22:01, wrote:
> On Mon, Apr 04, 2016 at 09:00:00AM -0600, Jan Beulich wrote:
>> >>> On 24.03.16 at 21:00, wrote:
>> > @@ -929,6 +932,33 @@ being loaded and requires an hypervisor build-id to
>> > match against.
>> > The old code allows much more flexibility and an additional
On Mon, Apr 04, 2016 at 09:00:00AM -0600, Jan Beulich wrote:
> >>> On 24.03.16 at 21:00, wrote:
> > @@ -929,6 +932,33 @@ being loaded and requires an hypervisor build-id to
> > match against.
> > The old code allows much more flexibility and an additional guard,
> > but is more complex to imple
>>> On 24.03.16 at 21:00, wrote:
> @@ -929,6 +932,33 @@ being loaded and requires an hypervisor build-id to
> match against.
> The old code allows much more flexibility and an additional guard,
> but is more complex to implement.
>
> +The second option which requires an build-id of the hyperv
We now expect that the ELF payloads be built with the
--build-id.
Also the .xsplice.deps section has to have the contents
of the hypervisor (or a preceding payload) build-id.
We already have the code to verify the Elf_Note build-id
so export parts of it.
This dependency means the hypervisor MUST
