From: George Dunlap <george.dunlap@citrix.com>
To: Andrew Cooper <andrew.cooper3@citrix.com>,
Julien Grall <julien@xen.org>,
Doug Goldstein <cardoe@cardoe.com>
Cc: Sergey Dyasli <sergey.dyasli@citrix.com>,
Stefano Stabellini <sstabellini@kernel.org>, Wei Liu <wl@xen.org>,
Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>,
Xen-devel <xen-devel@lists.xen.org>,
Jan Beulich <jbeulich@suse.com>,
Ian Jackson <Ian.Jackson@citrix.com>,
Daniel De Graaf <dgdegra@tycho.nsa.gov>
Subject: Re: [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests
Date: Mon, 13 Jan 2020 14:07:32 +0000 [thread overview]
Message-ID: <9c87e6fb-680d-de36-6c88-7758cc8ce125@citrix.com> (raw)
In-Reply-To: <ccfc3367-a622-ae1b-8b67-5336bbb19788@citrix.com>
On 1/13/20 2:01 PM, Andrew Cooper wrote:
> On 13/01/2020 13:39, Julien Grall wrote:
>> Hi George,
>>
>> Thank you for summarising the possibility. One question below.
>>
>> On 13/01/2020 12:51, George Dunlap wrote:
>>> 2. Block XENVER_extraversion at the hypervisor level. Leave xen_deny()
>>> as returning "<denied>", but replace "<denied>" with "" in hvmloader so
>>> it doesn't show up in the System Info and scare users.
>>>
>>> 3. Block XENVER_extraversion at the hypervisor level. Change xen_deny()
>>> to return a more benign string like "<hidden>". (Perhaps also filter it
>>> in hvmloader, just for good measure.)
>>
>> My knowledge of live migration on x86 is a bit limited, but if I
>> understand correctly those two options would require a guest to reboot
>> in order to pick up the changes. Am I correct?
>
> Not in the slightest. The content returned changes whenever the
> hypervisor changes.
I guess Julien is talking about the filtering done in hvmloader. That
filtering is about what's in the guest's ACPI tables; and *that* happens
only once at guest boot; so whatever the scary message is in the Windows
System Information page (or wherever it is) would stay there until the
guest reboots, regardless of which option we go with.
-George
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xenproject.org
https://lists.xenproject.org/mailman/listinfo/xen-devel
next prev parent reply other threads:[~2020-01-13 14:08 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-10 10:37 [Xen-devel] [PATCH v2] xsm: hide detailed Xen version from unprivileged guests Sergey Dyasli
2020-01-10 11:02 ` Andrew Cooper
2020-01-10 15:28 ` George Dunlap
2020-01-10 15:56 ` Jan Beulich
2020-01-10 16:45 ` Jürgen Groß
2020-01-10 17:00 ` George Dunlap
2020-01-11 3:55 ` Doug Goldstein
2020-01-11 9:35 ` George Dunlap
2020-01-13 11:01 ` Sergey Dyasli
2020-01-10 11:09 ` Jan Beulich
2020-01-11 4:02 ` Doug Goldstein
2020-01-11 9:02 ` George Dunlap
2020-01-12 18:26 ` Doug Goldstein
2020-01-13 12:51 ` George Dunlap
2020-01-13 13:39 ` Julien Grall
2020-01-13 14:01 ` Andrew Cooper
2020-01-13 14:07 ` George Dunlap [this message]
2020-01-13 14:28 ` Julien Grall
2020-01-13 14:40 ` Andrew Cooper
2020-01-14 10:19 ` Sergey Dyasli
2020-01-13 14:52 ` Julien Grall
2020-01-13 14:01 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9c87e6fb-680d-de36-6c88-7758cc8ce125@citrix.com \
--to=george.dunlap@citrix.com \
--cc=Ian.Jackson@citrix.com \
--cc=andrew.cooper3@citrix.com \
--cc=cardoe@cardoe.com \
--cc=dgdegra@tycho.nsa.gov \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=konrad.wilk@oracle.com \
--cc=sergey.dyasli@citrix.com \
--cc=sstabellini@kernel.org \
--cc=wl@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.