OXT-1686 : create-ndvm: enable HAP/EPT/SLAT #176
Conversation
For increased security, enable HAP (hardware-assisted paging) SLAT (Second Level Address Translation) instead of Xen shadow page tables. Also known as: - Intel EPT (Extended Page Tables) - AMD NPT (Nested Page Tables) OXT-1686 Signed-off-by: Rich Persaud <[email protected]>
|
Xen enables I don't think there is actually any requirement on OpenXT/xenclient-oe#1339 |
|
Build $10071 |
|
Even though upstream enables HAP by default, enabling HAP in OpenXT's NDVM config has the effect of documenting OpenXT's security requirement for hardware-assisted paging. Upstream Xen's security support for NDVMs is contingent on HAP. Ideally the HAP config property would be visible to local UIVMs and remote configuration management systems. Since we already enable HAP in OpenXT guest VM templates, there's no downside to enabling HAP in NDVM templates. If we need to run NDVMs without HAP, e.g. testing under Qemu, that can be enabled in a 'dev/debug' build of OpenXT. Separately, we should consider disabling software shadow page tables in Xen. Systems without HAP are not security supported by OpenXT or Xen with PCI passthrough. |
|
You didn't answer the question: does setting hap=1 prevent booting when hap is not available? Where is it stated that HAP is an OpenXT security requirement? How is upstream security support contingent on HAP? |
|
As @eric-ch points out, The commit message is inaccurate since HAP is already used. It should be updated to state that HAP is now required for the NDVM. For the record, it looks like Xen will not start a VM with |
For increased security, enable HAP (hardware-assisted paging) SLAT
(Second Level Address Translation) instead of Xen shadow page tables.
Also known as:
OXT-1686
Signed-off-by: Rich Persaud [email protected]
Requires OpenXT/xenclient-oe#1339