SlideShare a Scribd company logo

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software Engineer, Citrix

The Linux Foundation
The Linux Foundation

The idea of making Xen secret-free has been floating since Spectre and Meltdown came into light. In this talk we will discuss what is being done and what needs to be done next.

Software
1 of 17
Download to read offline
Secret-free Hypervisor: Now and Future Wei Liu <wl@xen.org>
Agenda • Why this project • What and how • Primary targets • Project scope • Project showcase • Project status
Why this project • Prompted by Meltdown and Spectre • Side-channels are here to stay • Hardware bugs are here to stay • Well-established isolation mechanisms and security boundaries are broken • Rethink Xen’s strategy against a whole class of issues • What if there is no secret to leak in the first place?
Primary targets • Direct map • Xen has a 1:1 mapping of all physical memory in the machine for performance reason • If you can read from that mapping, you can read everything in the machine • Stack • Stack in Xen is allocated from an always mapped heap (xenheap) visible to all PCPUs • Stack content is considered sensitive
Fixes? • Direct map • Remove it completely • Map / unmap pages as required when accessing memory • Stack • Switch to per-PCPU stack which is not visible to other PCPUs in the same machine
Xen code is … J • Xen’s academic origin and organic growth for years brings some challenging aspects: • Messy or not so modular code structure • Missing design documents • Lacking comments • Interesting-looking code and design decisions
A taste of the scope Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
Domheap for page tables • Currently page tables are xenheap pages (always mapped pages) • All code is written with the “always mapped” property in mind • Want to use domheap for page tables • Need to (painstakingly) rewrite internal APIs and dependent code without breaking bisection • More importantly, the changes need to be broken down to reviewable patches
Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
Implement xenheap with vmap • Less secrets in xenheap but keep its property • Currently vmap is implemented on top of xenheap -- need to flip their relationship • Problems so far: • Make sure page <-> virt conversion functions continue working (or remove them entirely with lots of code churn…) • Make vmap able to unmap a portion of a mapping – there is an optimization in xmalloc which depends on such behavior • Need to break a xenheap-vmap call loop in the page table allocation APIs - - this is reason for the previous project • Patches need not break bisection and be reviewable
Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
Implement PMAP infrastructure • Named (badly) after an infrastructure in Linux • The only similarity is they both have a small-ish address space with statically set up page tables • To solve a bootstrapping problem: • Per-PCPU mapping infrastructure needs some mapping mechanism to set itself up without a direct map • Only used during CPU onlining / offlining
Status Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching 50+ patches ~5 patches 10+ patches (incomplete) ~5 patches ~10 patches ~15 patches Legend: Patches written from scratch Patches from earlier work that are maybe salvageable
Missing aspect: performance • Can’t really test performance at this stage • May not be too bad (but I could be wrong): • Removing direct map • Xen only needs to access a few pages while a guest is running • PV guest page manipulation code is already very long • Per-PCPU stack • A PCPU only cares about its own stack during normal operation
More information • https://xenproject.atlassian.net/browse/XEN-119 • https://lists.xenproject.org/archives/html/xen-devel/2019- 01/msg01923.html • https://lists.xenproject.org/archives/html/xen-devel/2018- 10/msg01477.html
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software Engineer, Citrix

Recommended

XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
The Rocky Cloud Road
The Rocky Cloud RoadThe Rocky Cloud Road
The Rocky Cloud Road
Gert Drapers
 
VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld 2013: Examining vSphere Design Through a Design Scenario VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld
 
Towards automated testing - CloudStack Collab Conference
Towards automated testing - CloudStack Collab ConferenceTowards automated testing - CloudStack Collab Conference
Towards automated testing - CloudStack Collab Conference
amoghvk
 
Infrastructure as Code - Getting Started, Concepts & Tools
Infrastructure as Code - Getting Started, Concepts & ToolsInfrastructure as Code - Getting Started, Concepts & Tools
Infrastructure as Code - Getting Started, Concepts & Tools
Lior Kamrat
 
Java Application Servers Are Dead!
Java Application Servers Are Dead!Java Application Servers Are Dead!
Java Application Servers Are Dead!
Eberhard Wolff
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld
 
Case study: advantages of the private cloud computing platform
Case study: advantages of the private cloud computing platformCase study: advantages of the private cloud computing platform
Case study: advantages of the private cloud computing platform
ISPABelgium
 

Recommended

XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
The Linux Foundation
 
The Rocky Cloud Road
The Rocky Cloud RoadThe Rocky Cloud Road
The Rocky Cloud Road
Gert Drapers
 
VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld 2013: Examining vSphere Design Through a Design Scenario VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld 2013: Examining vSphere Design Through a Design Scenario
VMworld
 
Towards automated testing - CloudStack Collab Conference
Towards automated testing - CloudStack Collab ConferenceTowards automated testing - CloudStack Collab Conference
Towards automated testing - CloudStack Collab Conference
amoghvk
 
Infrastructure as Code - Getting Started, Concepts & Tools
Infrastructure as Code - Getting Started, Concepts & ToolsInfrastructure as Code - Getting Started, Concepts & Tools
Infrastructure as Code - Getting Started, Concepts & Tools
Lior Kamrat
 
Java Application Servers Are Dead!
Java Application Servers Are Dead!Java Application Servers Are Dead!
Java Application Servers Are Dead!
Eberhard Wolff
 
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld 2016: Getting Started with PowerShell and PowerCLI for Your VMware En...
VMworld
 
Case study: advantages of the private cloud computing platform
Case study: advantages of the private cloud computing platformCase study: advantages of the private cloud computing platform
Case study: advantages of the private cloud computing platform
ISPABelgium
 
3 the cloud
3 the cloud 3 the cloud
3 the cloud
Len Bass
 
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld
 
4 container management
4 container management4 container management
4 container management
Len Bass
 
VMware Log Insight
VMware Log Insight VMware Log Insight
VMware Log Insight
Iwan Rahabok
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New Hampshire
Tony Austwick
 
A Note on Distributed Computing - Papers We Love Hyderabad
A Note on Distributed Computing - Papers We Love HyderabadA Note on Distributed Computing - Papers We Love Hyderabad
A Note on Distributed Computing - Papers We Love Hyderabad
Hrishikesh Barua
 
Bluetube
BluetubeBluetube
Bluetube
Vinoth Chandar
 
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-BloxPerforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
Perforce
 
Net1674 final emea
Net1674 final emeaNet1674 final emea
Net1674 final emea
VMworld
 
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld
 
6 microservice architecture
6 microservice architecture6 microservice architecture
6 microservice architecture
Len Bass
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for Horizon
VMworld
 
8 pipeline
8 pipeline 8 pipeline
8 pipeline
Len Bass
 
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld
 
Continuous Integration for BSP
Continuous Integration for BSPContinuous Integration for BSP
Continuous Integration for BSP
Witekio
 
XenApp XenDesktop 7.8 Workshop
XenApp XenDesktop 7.8 Workshop XenApp XenDesktop 7.8 Workshop
XenApp XenDesktop 7.8 Workshop
Digicomp Academy AG
 
OpenCV for Embedded: Lessons Learned
OpenCV for Embedded: Lessons LearnedOpenCV for Embedded: Lessons Learned
OpenCV for Embedded: Lessons Learned
Yury Gorbachev
 
Microservices on top of kafka
Microservices on top of kafkaMicroservices on top of kafka
Microservices on top of kafka
LivePerson
 
Co je nového v XenDesktop 7.6 a XenApp 7.6
Co je nového v XenDesktop 7.6 a XenApp 7.6 Co je nového v XenDesktop 7.6 a XenApp 7.6
Co je nového v XenDesktop 7.6 a XenApp 7.6
MarketingArrowECS_CZ
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 
High Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
High Fidelity Games: Real Examples, Best Practices ... | Oleksii VasylenkoHigh Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
High Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
Jessica Tams
 
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on HadoopApache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
guest20d395b
 

More Related Content

What's hot

VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New Hampshire
Tony Austwick
 
Net1674 final emea
Net1674 final emeaNet1674 final emea
Net1674 final emea
VMworld
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
BIOVIA
 

What's hot (20)

3 the cloud
3 the cloud 3 the cloud
3 the cloud
 
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
VMworld 2015: Monitoring and Managing Applications with vRealize Operations 6...
 
4 container management
4 container management4 container management
4 container management
 
VMware Log Insight
VMware Log Insight VMware Log Insight
VMware Log Insight
 
Application Virtualization, University of New Hampshire
Application Virtualization, University of New HampshireApplication Virtualization, University of New Hampshire
Application Virtualization, University of New Hampshire
 
A Note on Distributed Computing - Papers We Love Hyderabad
A Note on Distributed Computing - Papers We Love HyderabadA Note on Distributed Computing - Papers We Love Hyderabad
A Note on Distributed Computing - Papers We Love Hyderabad
 
Bluetube
BluetubeBluetube
Bluetube
 
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-BloxPerforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
Perforce on Tour 2015 - Optimising the Developer Pipeline at U-Blox
 
Net1674 final emea
Net1674 final emeaNet1674 final emea
Net1674 final emea
 
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
VMworld Europe 204: Technical Deep Dive on EVO: RAIL, the new VMware Hyper-Co...
 
6 microservice architecture
6 microservice architecture6 microservice architecture
6 microservice architecture
 
VMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for HorizonVMworld 2016: Troubleshooting 101 for Horizon
VMworld 2016: Troubleshooting 101 for Horizon
 
8 pipeline
8 pipeline 8 pipeline
8 pipeline
 
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
VMworld 2015: How To Troubleshoot Using vRealize Operations Manager (Deep Liv...
 
Continuous Integration for BSP
Continuous Integration for BSPContinuous Integration for BSP
Continuous Integration for BSP
 
XenApp XenDesktop 7.8 Workshop
XenApp XenDesktop 7.8 Workshop XenApp XenDesktop 7.8 Workshop
XenApp XenDesktop 7.8 Workshop
 
OpenCV for Embedded: Lessons Learned
OpenCV for Embedded: Lessons LearnedOpenCV for Embedded: Lessons Learned
OpenCV for Embedded: Lessons Learned
 
Microservices on top of kafka
Microservices on top of kafkaMicroservices on top of kafka
Microservices on top of kafka
 
Co je nového v XenDesktop 7.6 a XenApp 7.6
Co je nového v XenDesktop 7.6 a XenApp 7.6 Co je nového v XenDesktop 7.6 a XenApp 7.6
Co je nového v XenDesktop 7.6 a XenApp 7.6
 
(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment(ATS4-PLAT06) Considerations for sizing and deployment
(ATS4-PLAT06) Considerations for sizing and deployment
 

Similar to XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software Engineer, Citrix

Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
DataStax
 
End to-end async and await
End to-end async and awaitEnd to-end async and await
End to-end async and await
vfabro
 
SPTechCon Austin 2019 - From SharePoint to Office 365 development
SPTechCon Austin 2019 - From SharePoint to Office 365 developmentSPTechCon Austin 2019 - From SharePoint to Office 365 development
SPTechCon Austin 2019 - From SharePoint to Office 365 development
Sébastien Levert
 
Transitioning Groupon to Node.js - EmpireJS 2014
Transitioning Groupon to Node.js - EmpireJS 2014Transitioning Groupon to Node.js - EmpireJS 2014
Transitioning Groupon to Node.js - EmpireJS 2014
Sean McCullough
 
Low Latency Polyglot Model Scoring using Apache Apex
Low Latency Polyglot Model Scoring using Apache ApexLow Latency Polyglot Model Scoring using Apache Apex
Low Latency Polyglot Model Scoring using Apache Apex
Apache Apex
 
Take a peek at Dell's smart EPM global environment
Take a peek at Dell's smart EPM global environmentTake a peek at Dell's smart EPM global environment
Take a peek at Dell's smart EPM global environment
Rodrigo Radtke de Souza
 

Similar to XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software Engineer, Citrix (20)

High Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
High Fidelity Games: Real Examples, Best Practices ... | Oleksii VasylenkoHigh Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
High Fidelity Games: Real Examples, Best Practices ... | Oleksii Vasylenko
 
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on HadoopApache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
 
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on HadoopApache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
Apache HAMA: An Introduction toBulk Synchronization Parallel on Hadoop
 
PROCESS WARP
PROCESS WARPPROCESS WARP
PROCESS WARP
 
Build Your First SharePoint Framework Webpart
Build Your First SharePoint Framework WebpartBuild Your First SharePoint Framework Webpart
Build Your First SharePoint Framework Webpart
 
Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
Building Highly Available Apps on Cassandra (Robbie Strickland, Weather Compa...
 
How to automate the SharePoint Provisioning
How to automate the SharePoint Provisioning How to automate the SharePoint Provisioning
How to automate the SharePoint Provisioning
 
End to-end async and await
End to-end async and awaitEnd to-end async and await
End to-end async and await
 
SPTechCon Austin 2019 - From SharePoint to Office 365 development
SPTechCon Austin 2019 - From SharePoint to Office 365 developmentSPTechCon Austin 2019 - From SharePoint to Office 365 development
SPTechCon Austin 2019 - From SharePoint to Office 365 development
 
ASP.NET
ASP.NETASP.NET
ASP.NET
 
Data Parallel and Object Oriented Model
Data Parallel and Object Oriented ModelData Parallel and Object Oriented Model
Data Parallel and Object Oriented Model
 
Azure Automation, PnP Provisioning and PnP PowerShell
Azure Automation, PnP Provisioning and PnP PowerShellAzure Automation, PnP Provisioning and PnP PowerShell
Azure Automation, PnP Provisioning and PnP PowerShell
 
Galaxy
GalaxyGalaxy
Galaxy
 
ASP.NET 5 - Microsoft's Web development platform reimagined
ASP.NET 5 - Microsoft's Web development platform reimaginedASP.NET 5 - Microsoft's Web development platform reimagined
ASP.NET 5 - Microsoft's Web development platform reimagined
 
Lattice yapc-slideshare
Lattice yapc-slideshareLattice yapc-slideshare
Lattice yapc-slideshare
 
Transitioning Groupon to Node.js - EmpireJS 2014
Transitioning Groupon to Node.js - EmpireJS 2014Transitioning Groupon to Node.js - EmpireJS 2014
Transitioning Groupon to Node.js - EmpireJS 2014
 
Low Latency Polyglot Model Scoring using Apache Apex
Low Latency Polyglot Model Scoring using Apache ApexLow Latency Polyglot Model Scoring using Apache Apex
Low Latency Polyglot Model Scoring using Apache Apex
 
Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)Practical virtual network functions with Snabb (SDN Barcelona VI)
Practical virtual network functions with Snabb (SDN Barcelona VI)
 
Cloudera Impala: A Modern SQL Engine for Hadoop
Cloudera Impala: A Modern SQL Engine for HadoopCloudera Impala: A Modern SQL Engine for Hadoop
Cloudera Impala: A Modern SQL Engine for Hadoop
 
Take a peek at Dell's smart EPM global environment
Take a peek at Dell's smart EPM global environmentTake a peek at Dell's smart EPM global environment
Take a peek at Dell's smart EPM global environment
 

More from The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
The Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
The Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
The Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
The Linux Foundation
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
The Linux Foundation
 

More from The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information SecurityXPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security
 
XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSE
XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSEXPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSE
XPDDS19: Support of PV Devices in Nested Xen - Jürgen Groß, SUSE
 

Recently uploaded

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
masabamasaba
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
Juha-Pekka Tolvanen
 

Recently uploaded (20)

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Artyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptxArtyushina_Guest lecture_YorkU CS May 2024.pptx
Artyushina_Guest lecture_YorkU CS May 2024.pptx
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...
 
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
%in Stilfontein+277-882-255-28 abortion pills for sale in Stilfontein
 
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
Abortion Pills In Pretoria ](+27832195400*)[ 🏥 Women's Abortion Clinic In Pre...
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
What Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the SituationWhat Goes Wrong with Language Definitions and How to Improve the Situation
What Goes Wrong with Language Definitions and How to Improve the Situation
 
tonesoftg
tonesoftgtonesoftg
tonesoftg
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
WSO2CON 2024 - Building the API First Enterprise – Running an API Program, fr...
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
WSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - KanchanaWSO2Con2024 - Hello Choreo Presentation - Kanchana
WSO2Con2024 - Hello Choreo Presentation - Kanchana
 

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software Engineer, Citrix

  • 1. Secret-free Hypervisor: Now and Future Wei Liu <wl@xen.org>
  • 2. Agenda • Why this project • What and how • Primary targets • Project scope • Project showcase • Project status
  • 3. Why this project • Prompted by Meltdown and Spectre • Side-channels are here to stay • Hardware bugs are here to stay • Well-established isolation mechanisms and security boundaries are broken • Rethink Xen’s strategy against a whole class of issues • What if there is no secret to leak in the first place?
  • 4. Primary targets • Direct map • Xen has a 1:1 mapping of all physical memory in the machine for performance reason • If you can read from that mapping, you can read everything in the machine • Stack • Stack in Xen is allocated from an always mapped heap (xenheap) visible to all PCPUs • Stack content is considered sensitive
  • 5. Fixes? • Direct map • Remove it completely • Map / unmap pages as required when accessing memory • Stack • Switch to per-PCPU stack which is not visible to other PCPUs in the same machine
  • 6. Xen code is … J • Xen’s academic origin and organic growth for years brings some challenging aspects: • Messy or not so modular code structure • Missing design documents • Lacking comments • Interesting-looking code and design decisions
  • 7. A taste of the scope Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
  • 8. Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
  • 9. Domheap for page tables • Currently page tables are xenheap pages (always mapped pages) • All code is written with the “always mapped” property in mind • Want to use domheap for page tables • Need to (painstakingly) rewrite internal APIs and dependent code without breaking bisection • More importantly, the changes need to be broken down to reviewable patches
  • 10. Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
  • 11. Implement xenheap with vmap • Less secrets in xenheap but keep its property • Currently vmap is implemented on top of xenheap -- need to flip their relationship • Problems so far: • Make sure page <-> virt conversion functions continue working (or remove them entirely with lots of code churn…) • Make vmap able to unmap a portion of a mapping – there is an optimization in xmalloc which depends on such behavior • Need to break a xenheap-vmap call loop in the page table allocation APIs - - this is reason for the previous project • Patches need not break bisection and be reviewable
  • 12. Project showcase Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching
  • 13. Implement PMAP infrastructure • Named (badly) after an infrastructure in Linux • The only similarity is they both have a small-ish address space with statically set up page tables • To solve a bootstrapping problem: • Per-PCPU mapping infrastructure needs some mapping mechanism to set itself up without a direct map • Only used during CPU onlining / offlining
  • 14. Status Secret-free hypervisor Remove direct map Use per-PCPU stack Implement Xenheap with vmap Remove mapping infrastructure’s dependency on direct map Implement per-PCPU mapping infrastructure Implement Persistent MAP (PMAP) infrastructure for bootstrapping Use Domheap for page tables Carve out address space Adjust early boot / AP bringup code Maintain correct mapping while context switching 50+ patches ~5 patches 10+ patches (incomplete) ~5 patches ~10 patches ~15 patches Legend: Patches written from scratch Patches from earlier work that are maybe salvageable
  • 15. Missing aspect: performance • Can’t really test performance at this stage • May not be too bad (but I could be wrong): • Removing direct map • Xen only needs to access a few pages while a guest is running • PV guest page manipulation code is already very long • Per-PCPU stack • A PCPU only cares about its own stack during normal operation
  • 16. More information • https://xenproject.atlassian.net/browse/XEN-119 • https://lists.xenproject.org/archives/html/xen-devel/2019- 01/msg01923.html • https://lists.xenproject.org/archives/html/xen-devel/2018- 10/msg01477.html