Return-Path: <linux-kernel-owner+willy=40w.ods.org-S965162AbWJ2JKX@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S965162AbWJ2JKX (ORCPT <rfc822;willy@w.ods.org>);
	Sun, 29 Oct 2006 04:10:23 -0500
Received: (majordomo@vger.kernel.org) by vger.kernel.org id S965164AbWJ2JKX
	(ORCPT <rfc822;linux-kernel-outgoing>);
	Sun, 29 Oct 2006 04:10:23 -0500
Received: from mis011-1.exch011.intermedia.net ([64.78.21.128]:40045 "EHLO
	mis011-1.exch011.intermedia.net") by vger.kernel.org with ESMTP
	id S965162AbWJ2JKV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
	Sun, 29 Oct 2006 04:10:21 -0500
Message-ID: <45446FF8.50502@qumranet.com>
Date: Sun, 29 Oct 2006 11:10:16 +0200
From: Avi Kivity <avi@qumranet.com>
User-Agent: Thunderbird 1.5.0.7 (X11/20061008)
MIME-Version: 1.0
To: Arnd Bergmann <arnd@arndb.de>
CC: linux-kernel@vger.kernel.org, kvm-devel@lists.sourceforge.net
Subject: Re: [PATCH 6/13] KVM: memory slot management
References: <4540EE2B.9020606@qumranet.com> <200610270937.11646.arnd@arndb.de> <454208EB.7080007@qumranet.com> <200610271605.27600.arnd@arndb.de>
In-Reply-To: <200610271605.27600.arnd@arndb.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 Oct 2006 09:10:20.0957 (UTC) FILETIME=[0F462CD0:01C6FB3A]
Sender: linux-kernel-owner@vger.kernel.org
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1415
Lines: 39

Arnd Bergmann wrote:
>> It can shoot not only its foot, but anything the monitor's uid has 
>> access to.  Host files, the host network, other guests belonging to the 
>> user, etc.
>>     
>
> Yes, that's what I meant. It's obviously nicer if the guest can't do that,
> but it's a tradeoff of the potential security impact against on how hard
> it is to implement hiding the addresses you don't want your guest to see.
> To put it into other words, do you want the optimal performance, or the
> optimal security?
>
>   

Well, isolation is one of the most significant features of full 
virtualization, both for security and reliability.  I don't think we can 
compromise that.


>> It's worse than I thouht: tlb entries generated by guest accesses are 
>> tagged with the guest virtual address, to if you remove a guest 
>> physical/host virtual page you need to invalidate the entire guest tlb.
>>     
>
> Ok, so it's the HW's fault. They either copied bad or decided doing the
> s390 approach was too expensive.
>   

x86 tradition is to make all possible mistakes before getting a working 
solution.

-- 
error compiling committee.c: too many arguments to function

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/