On 10/01/2018 02:12 PM, Andrew Cooper wrote: > On 01/10/18 12:13, Jan Beulich wrote: >>>>> On 01.10.18 at 11:58, <sergey.dya...@citrix.com> wrote: >>> Having the allocator return unscrubbed pages is a potential security >>> concern: some domain can be given pages with memory contents of another >>> domain. This may happen, for example, if a domain voluntarily releases >>> its own memory (ballooning being the easiest way for doing this). >> And we've always said that in this case it's the domain's responsibility >> to scrub the memory of secrets it cares about. Therefore I'm at the >> very least missing some background on this change of expectations. > > You were on the call when this was discussed, along with the synchronous > scrubbing in destroydomain. > > Put simply, the current behaviour is not good enough for a number of > security sensitive usecases. > > The main reason however for doing this is the optimisations it enables, > and in particular, not double scrubbing most of our pages.
All of that should have been in the changelog, at least in summary form, regardless of where else it may have been discussed. -George _______________________________________________ Xen-devel mailing list Xen-devel@lists.xenproject.org https://lists.xenproject.org/mailman/listinfo/xen-devel
