Intel Xeon processor E5-20 product family v4 has arrived, and are among its many advantages there are two features that I want to highlight; SMAP and PML-support.
I have not previously blogged about this, but with the introduction of the new Xeon E5 processors, this is the ideal time to highlight what the Citrix XenServer team is working on.
So what's SMAP, and why should I be interested?
SMAP or Supervisor Mode Access prevention, a new CPU capability in, life is much more difficult for hackers introduced specifically wannabe looking to take advantage of software bugs. An example where this might help is, with para-virtualized guest VMs running on Xen hypervisor based, like XenServer. Learn about Xen on XenProject.org. Hypothetically, if there is an error in Xen were allowing para-virtualized guest a Xen memory on the guest to change pointer space, then this could lead to a possible situation in which the guest VM could exploit the error and control of Xen.
What makes SMAP does hardware is against this class of attack provide control to ensure that Xen memory can not access controlled by a PV guest, except in cases where such access is required for some functions , In these cases, the logic is for authorized access added SMAP temporarily disable.
Citrix and Intel always have established close cooperative working relationship and for Xen support SMAP, has had, this is no exception. Intel added to the SMAP code for XenProject, now a part of Xen 4.6, XenServer has included in the latest Technical Preview (TP3) release.
Citrix technology and an analysis carried out potentially vulnerable hyper calls to identify their results have to mark such a vulnerability. In this case, not really put exploited a Hypercall proven, but the validity of the use of SMAP support is certainly marked with Xen, and as such, SMAP will be enabled by default in the XenServer. next release, to protect against precisely this type of attack.
in the above example, the vulnerability Hypercall is limited in question in the access to Dom0, so that could be used by an unprivileged guest domain is not, and how it happens, the SMAP breach has been fixed.
PML and its influence on events like XenMotion
During the live migration of a guest VM from one host to another, Xen has to copy all the memory contents of the VM on the source host, while is performed. Of course, while the VM is still running, the use, it will continue to write to memory pages. How XenServer treats this is to track the pages that have been copied, so we can easily determine whether the VM wrote them, and if need be, its flag to be as "dirty". These memory pages would then in the next live migration stage (all the XenMotion implementation obviously for the administrator) are copied to the destination host again.
PML or change a page logging is a new CPU capability that reduces runtime overhead of dirty guest pages to follow. reaches of PML, which, rather than doing the dirty pages in hardware tracking in the software by the Xen hypervisor. The actual time taken in the final phase of the migration, if the VM is stopped for the final copy of memory to ensure that there can be no further dirty side remains unaffected, however, means this function that guest VMs are reaction during to reduce XenMotion memory copy operation and the load on the host.
more on PML To know, check out this Intel whitepaper.
In summary ...
XenServer is the first hypervisor platform SMAP to use integration with Intel Xeon ® processor E5-20 v4 product family, help this vulnerability class to be removed from an area of interest. Likewise PML simplifies our code base, while also improving the overall system performance.
integration of Intel CPU features like these show how Citrix closely with Intel continue to collaborate to solve real world problems, while ensuring XenServer able to use the latest hardware-embedded technology
If you know are more about other activities between the Citrix XenServer team and Intel interested, then please follow links Checkout .:
- XenServer Tech. Preview features Intel GVT g virtualized graphics
- Foundational Security with Intel® TXT and Citrix XenServer
- Citrix and Intel solutions for improved graphics and secure OpenStack Clouds at IDF 2015
0 Komentar