Hi Jan, On Tue, Jan 16, 2018 at 08:21:52AM -0700, Jan Beulich wrote: > This is a very simplistic change limiting the amount of memory a running > 64-bit PV guest has mapped (and hence available for attacking): Only the > mappings of stack, IDT, and TSS are being cloned from the direct map > into per-CPU page tables.
Can this be used with Comet/Vixen to further protect PV guests? i.e. if the shim hypervisor has these changes then will it also limit what a process in the PV guest can see in that shim hypervisor, which therefore protects its own guest kernel a bit too? Thanks, Andy _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel