On Mon, Dec 07, 2009 at 06:33:35PM +0100, Joanna Rutkowska wrote: > Avi Kivity wrote: > > On 12/07/2009 07:15 PM, Joanna Rutkowska wrote: > >>>> > >>>> But the difference is that in case of Xen one can *easily* move the > >>>> backends to small unprivileged VMs. In that case it doesn't matter the > >>>> code is in kernel mode, it's still only in an unprivileged domain. > >>>> > >>>> > >>>> > >>> They're not really unprivileged, one can easily program the dma > >>> controller of their assigned pci card to read and write arbitrary host > >>> memory. > >>> > >>> > >> That's not true if you use VT-d. > >> > > > > AFAIK VT-d is only supported in Xen for fully virtualized guests. Maybe > > it changed while I wasn't watching, though. > > > > Negative. VT-d can be used to contain PV DomUs as well. We actually > verified it. Oh, I didn't know that. This is a bit OT, but could you paste or point to a VT-d configuration with a PV guest? -- Pasi -- To unsubscribe from this list: send the line "unsubscribe kvm" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
