SlideShare une entreprise Scribd logo

XPDDS18: EPT-Based Sub-page Write Protection On Xenc - Yi Zhang, Intel

The Linux Foundation
The Linux Foundation

EPT-Based Sub-page Write Protection referred to as SPP, it is a capability which allow Virtual Machine Monitors(VMM) to specify write-permission for guest physical memory at a sub-page(128 byte) granularity. When this capability is utilized, the CPU enforces write-access permissions for sub-page regions of 4K pages as specified by the VMM. EPT-based sub-page permissions is intended to enable fine-grained memory write enforcement by a VMM for security(guest OS monitoring) and usages such as device virtualization and memory check-point.

Technologie
1  sur  18
Télécharger pour lire hors ligne
1 EPT-Based Sub-Page Protection On Xen Yi Zhang <yi.z.zhang@linux.intel.com>
2 Agenda  Overview  Implementation  User Cases  Q/A
3 EPT-Based Sub-Page Protection Design 3 SPP Overview EPT-Based Sub-Page Protection (SPP) - Allow write-protecting guest physical memory at a sub-page (128byte) granularity 4K Page Original Page Write-Protection Granularity EPT-Based SPP With SPP 128 byte ··· 32 × 128 byte Sub Pages
4 EPT-Based Sub-Page Protection Design 4 Implementation  Sub-page protection overall picture  Sub-page permission table  Sub-page permission table pointer  Sub-page permission table induced VM Exit  Sub-page permission table capability  Sub-page permission table enforcement  Hypercalls to set/get Sub-Page Write Protection
5 EPT-Based Sub-Page Protection Design 5 Guest Physical Address (GPA) Original EPT: EPT-Based SPP Walk EPT 1 EPT leaf entry Writable? Y N Write access to page Write access denied GPA Walk EPT 1 1 61 EPT leaf entry Writable? Y Write access to page Walk SPP Table SPP table pointer in VMCS 1 0 0 1 63 ··· 2 128 byte 128 byte ··· Physical Page Allow Deny SPPT L1E format 0+2i : sub-page write access 1+2i : reserved 1 N VM_exit
6 EPT-Based Sub-Page Protection Design 6 Sub-page Permission Table (SPPT)  Sub-page Permission Table • 4-level paging structure • Set up by hypervisor • Walked by hardware  Sub-page Permission Table Pointer • 64-bit control field on VMCS • Point to the SPPT L4 table
7 EPT-Based Sub-Page Protection Design 7 Sub-page Permission Table (SPPT)  Most like EPT table, the SPPT L4E L3E L2E format are defined as below figure: | :------------------ | :-------------------------------------------------------------------------------------------------------- | | Bit | Contents | | :------------------ | :-------------------------------------------------------------------------------------------------------- | | 0 | Valid entry when set; indicates whether the entry is present | | 11:1 | Reserved (0) | | N-1:12 | Physical address of 4K aligned SPPT LX-1 Table referenced by the entry | | 51:N | Reserved (0) | | 63:52 | Reserved (0) | | :------------------ | :-------------------------------------------------------------------------------------------------------- |  The SPP L1E format is defined as below figure: | :------------------ | :-------------------------------------------------------------------------------------------------------- | | Bit | Contents | | :------------------ | :-------------------------------------------------------------------------------------------------------- | | 0+2i | Write permission for i-th 128 byte sub-page region. | | 1+2i | Reserved (0). | | :------------------ | :-------------------------------------------------------------------------------------------------------- | Note: `0<=i<=31`
8 EPT-Based Sub-Page Protection Design 8 Sub-page permission table induced VM Exit An SPPT paging-structure entry contains an unsupported value during SPPT lookup. SPPT paging-structure entries are not present during SPPT lookup. • SPP Misconfiguration • SPP Miss • EPT violation VM Exits due to SPPT Memory writes that consult but are not permitted by the SPPT cause EPT violations normally. NOTE SPP Vm Exits reason value is 66. SPP Misconfiguration and SPP Miss Vm Exits can be told by exit qualification bit 11, set for SPP Miss, cleared for SPP Misconfig.
9 EPT-Based Sub-Page Protection Design 9 Sub-page Permission Table View SPPTP SPP miss SPP missconfig setup spp table 0 EPT violation not present unsupported value
10 EPT-Based Sub-Page Protection Design 10 Sub-page permission table capability IA32_VMX_PROCBASED_CTLS2 Secondary Proc-Based VM-Execution Controls MSR 0x48b 031 23 SPP Bit Capability on VMX MSR Enabling on VMCS Control fields bit [23] = 1 SPP is globally enabled
11 EPT-Based Sub-Page Protection Design 11 Sub-page permission table enforcement • Bit 61 of an EPT PTE is changed to “Sub-Page Permission” (SPP bit). • Setting this bit allows write permissions for the page to be enforced on a sub-page basis . EPT leaf paging-structure entries 63 61 physical address of page N-1 12 02 SPP physical page Set to act on
12 EPT-Based Sub-Page Protection Design 12 Hypercalls to set/get Sub-Page Write Protection: • Defined 2 hypercalls to set/get subpage write protection bitmap per gfn, each gfn corresponds to a bitmap. • The host management application, xl, or some other security control daemon. will set the protection bitmap via this pair of hypercall.
13 EPT-Based Sub-Page Protection Design 13 User Case Ⅰ Security data structure protection 4K PageAllocated User Data U32 Protected_bitmap User ID Un-Protected Protected 32 × 128 byte Sub Pages Private Key Mobile Number Public Email Billing Infor Name … Protected Un-Protected Un-Protected Protected Un-Protected Origin 4K page
14 EPT-Based Sub-Page Protection Design 14 User Case Ⅰ VM 4K Page User ID Private Key Mobile Number Public Email Billing Infor Name … Origin 4K page EPT table SPP table Client write Approve VM Exit VMM HPA User ID Security check Denied write
15 EPT-Based Sub-Page Protection Design 15 User Case Ⅱ Device mmio space protection 4K Page dev mmio space U32 Protected_bitmap Sensitive Reg Set[0] Un-Protected Protected 32 × 128 byte Sub Pages Sensitive Reg Set[2] Public Reg Set[...] Public Reg Set[3] Sensitive Reg Set[31] Public Reg Set[1] … Protected Un-Protected Un-Protected Protected Un-Protected 4K mmio space
16 EPT-Based Sub-Page Protection Design 16 User Case Ⅱ EPT table SPP table public register set sensitive register set Device GPA VM ApproveTrap & Emulate VM Exit
17 EPT-Based Sub-Page Protection Design 17 Resource Intel SDM: https://software.intel.com/sites/default/files/managed/c5/15/architecture-instruction-set- extensions-programming-reference.pdf Xen Patch link: https://lists.xenproject.org/archives/html/xen-devel/2017-10/msg02215.html KVM Patch link: https://lkml.org/lkml/2017/10/13/460
Q & A

Recommandé

Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 
Character Drivers
Character DriversCharacter Drivers
Character DriversAnil Kumar Pugalia
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Revisit DCA, PCIe TPH and DDIO
Revisit DCA, PCIe TPH and DDIORevisit DCA, PCIe TPH and DDIO
Revisit DCA, PCIe TPH and DDIOHisaki Ohara
 
Introduction of AMD Virtual Interrupt Controller
Introduction of AMD Virtual Interrupt ControllerIntroduction of AMD Virtual Interrupt Controller
Introduction of AMD Virtual Interrupt ControllerThe Linux Foundation
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 

Recommandé

Message Signaled Interrupts
Message Signaled InterruptsMessage Signaled Interrupts
Message Signaled InterruptsAnshuman Biswal
 
Character Drivers
Character DriversCharacter Drivers
Character DriversAnil Kumar Pugalia
 
Tegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxTegra 186のu-boot & Linux
Tegra 186のu-boot & LinuxMr. Vengineer
 
SUSE shim and things related to it
SUSE shim and things related to itSUSE shim and things related to it
SUSE shim and things related to itSUSE Labs Taipei
 
Memory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelMemory Mapping Implementation (mmap) in Linux Kernel
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
 
Revisit DCA, PCIe TPH and DDIO
Revisit DCA, PCIe TPH and DDIORevisit DCA, PCIe TPH and DDIO
Revisit DCA, PCIe TPH and DDIOHisaki Ohara
 
Introduction of AMD Virtual Interrupt Controller
Introduction of AMD Virtual Interrupt ControllerIntroduction of AMD Virtual Interrupt Controller
Introduction of AMD Virtual Interrupt ControllerThe Linux Foundation
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Pcie drivers basics
Pcie drivers basicsPcie drivers basics
Pcie drivers basicsVenkatesh Malla
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
PCI Drivers
PCI DriversPCI Drivers
PCI DriversAnil Kumar Pugalia
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In DepthKernel TLV
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBDDan Frincu
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDKDenys Haryachyy
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinityTakuya ASADA
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelDavidlohr Bueso
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
FASTER Key-Value Store and Log
FASTER Key-Value Store and LogFASTER Key-Value Store and Log
FASTER Key-Value Store and LogBadrish Chandramouli
 
Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph Community
 
Embedded Software Design
Embedded Software DesignEmbedded Software Design
Embedded Software DesignAnil Kumar Pugalia
 
Storage Basics
Storage BasicsStorage Basics
Storage BasicsMurali Rajesh
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systemsMarian Marinov
 
Linux kernel memory allocators
Linux kernel memory allocatorsLinux kernel memory allocators
Linux kernel memory allocatorsHao-Ran Liu
 
Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAlan Renouf
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 

Contenu connexe

Tendances

The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationjoeylikernel
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016Brendan Gregg
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Brendan Gregg
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernelAdrian Huang
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringAnne Nicolas
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBDDan Frincu
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File SystemAdrian Huang
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinityTakuya ASADA
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelDavidlohr Bueso
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Anne Nicolas
 
Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph Community
 
Linux kernel memory allocators
Linux kernel memory allocatorsLinux kernel memory allocators
Linux kernel memory allocatorsHao-Ran Liu
 

Tendances (20)

The e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernationThe e820 trap of Linux kernel hibernation
The e820 trap of Linux kernel hibernation
 
Linux Systems Performance 2016
Linux Systems Performance 2016Linux Systems Performance 2016
Linux Systems Performance 2016
 
Pcie drivers basics
Pcie drivers basicsPcie drivers basics
Pcie drivers basics
 
Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)Performance Wins with eBPF: Getting Started (2021)
Performance Wins with eBPF: Getting Started (2021)
 
Page cache in Linux kernel
Page cache in Linux kernelPage cache in Linux kernel
Page cache in Linux kernel
 
PCI Drivers
PCI DriversPCI Drivers
PCI Drivers
 
DPDK In Depth
DPDK In DepthDPDK In Depth
DPDK In Depth
 
Kernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uringKernel Recipes 2019 - Faster IO through io_uring
Kernel Recipes 2019 - Faster IO through io_uring
 
Pacemaker+DRBD
Pacemaker+DRBDPacemaker+DRBD
Pacemaker+DRBD
 
Understanding DPDK
Understanding DPDKUnderstanding DPDK
Understanding DPDK
 
Linux Kernel - Virtual File System
Linux Kernel - Virtual File SystemLinux Kernel - Virtual File System
Linux Kernel - Virtual File System
 
/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity/proc/irq/&lt;irq>/smp_affinity
/proc/irq/&lt;irq>/smp_affinity
 
Memory Barriers in the Linux Kernel
Memory Barriers in the Linux KernelMemory Barriers in the Linux Kernel
Memory Barriers in the Linux Kernel
 
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
Kernel Recipes 2015: Linux Kernel IO subsystem - How it works and how can I s...
 
FASTER Key-Value Store and Log
FASTER Key-Value Store and LogFASTER Key-Value Store and Log
FASTER Key-Value Store and Log
 
Ceph RBD Update - June 2021
Ceph RBD Update - June 2021Ceph RBD Update - June 2021
Ceph RBD Update - June 2021
 
Embedded Software Design
Embedded Software DesignEmbedded Software Design
Embedded Software Design
 
Storage Basics
Storage BasicsStorage Basics
Storage Basics
 
4. linux file systems
4. linux file systems4. linux file systems
4. linux file systems
 
Linux kernel memory allocators
Linux kernel memory allocatorsLinux kernel memory allocators
Linux kernel memory allocators
 

Similaire à XPDDS18: EPT-Based Sub-page Write Protection On Xenc - Yi Zhang, Intel

Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAlan Renouf
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtNam Nguyen
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Stephen Gordon
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveNetronome
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Diveconfluent
 
Mpls conference 2016-data center virtualisation-11-march
Mpls conference 2016-data center virtualisation-11-marchMpls conference 2016-data center virtualisation-11-march
Mpls conference 2016-data center virtualisation-11-marchAricent
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernelKiran Divekar
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...Joao Galdino Mello de Souza
 
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...Michael Gschwind
 
Introduction about Kubernates Cluster
Introduction about Kubernates ClusterIntroduction about Kubernates Cluster
Introduction about Kubernates Cluster♛Kumar Aneesh♛
 
Host Data Plane Acceleration: SmartNIC Deployment Models
Host Data Plane Acceleration: SmartNIC Deployment ModelsHost Data Plane Acceleration: SmartNIC Deployment Models
Host Data Plane Acceleration: SmartNIC Deployment ModelsNetronome
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityCisco Canada
 
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelXPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelThe Linux Foundation
 

Similaire à XPDDS18: EPT-Based Sub-page Write Protection On Xenc - Yi Zhang, Intel (20)

Advanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtopAdvanced performance troubleshooting using esxtop
Advanced performance troubleshooting using esxtop
 
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas SchmidtJuniper SRX Quickstart 12.1R3 by Thomas Schmidt
Juniper SRX Quickstart 12.1R3 by Thomas Schmidt
 
Network Drivers
Network DriversNetwork Drivers
Network Drivers
 
Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015Compute 101 - OpenStack Summit Vancouver 2015
Compute 101 - OpenStack Summit Vancouver 2015
 
Vyos clustering ipsec
Vyos clustering ipsecVyos clustering ipsec
Vyos clustering ipsec
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
BPF Hardware Offload Deep Dive
BPF Hardware Offload Deep DiveBPF Hardware Offload Deep Dive
BPF Hardware Offload Deep Dive
 
Ixgbe internals
Ixgbe internalsIxgbe internals
Ixgbe internals
 
Netlink-Optimization.pptx
Netlink-Optimization.pptxNetlink-Optimization.pptx
Netlink-Optimization.pptx
 
Citi TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep DiveCiti TechTalk Session 2: Kafka Deep Dive
Citi TechTalk Session 2: Kafka Deep Dive
 
Secure Containers with EPT Isolation
Secure Containers with EPT IsolationSecure Containers with EPT Isolation
Secure Containers with EPT Isolation
 
Mpls conference 2016-data center virtualisation-11-march
Mpls conference 2016-data center virtualisation-11-marchMpls conference 2016-data center virtualisation-11-march
Mpls conference 2016-data center virtualisation-11-march
 
Geep networking stack-linuxkernel
Geep networking stack-linuxkernelGeep networking stack-linuxkernel
Geep networking stack-linuxkernel
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3
 
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...
z/VM 6.3 - Mudanças de Comportamento do hypervisor para suporte de partições ...
 
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...
M. Gschwind, A novel SIMD architecture for the Cell heterogeneous chip multip...
 
Introduction about Kubernates Cluster
Introduction about Kubernates ClusterIntroduction about Kubernates Cluster
Introduction about Kubernates Cluster
 
Host Data Plane Acceleration: SmartNIC Deployment Models
Host Data Plane Acceleration: SmartNIC Deployment ModelsHost Data Plane Acceleration: SmartNIC Deployment Models
Host Data Plane Acceleration: SmartNIC Deployment Models
 
Better Network Management Through Network Programmability
Better Network Management Through Network ProgrammabilityBetter Network Management Through Network Programmability
Better Network Management Through Network Programmability
 
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, IntelXPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
XPDS14 - Xen as High-Performance NFV Platform - Jun Nakajima, Intel
 

Plus de The Linux Foundation

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleThe Linux Foundation
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...The Linux Foundation
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...The Linux Foundation
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportThe Linux Foundation
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...The Linux Foundation
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...The Linux Foundation
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderThe Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...The Linux Foundation
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixThe Linux Foundation
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdThe Linux Foundation
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...The Linux Foundation
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DThe Linux Foundation
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsThe Linux Foundation
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...The Linux Foundation
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...The Linux Foundation
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...The Linux Foundation
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEThe Linux Foundation
 

Plus de The Linux Foundation (20)

ELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made SimpleELC2019: Static Partitioning Made Simple
ELC2019: Static Partitioning Made Simple
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...
 
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...
 
XPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather ReportXPDDS19 Keynote: Unikraft Weather Report
XPDDS19 Keynote: Unikraft Weather Report
 
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...
 
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, BitdefenderXPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making... OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...
 
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, CitrixXPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix
 
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltdXPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd
 
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...
 
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&DXPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D
 
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM SystemsXPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems
 
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...
 
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...
 
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...
 
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSEXPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE
 

Dernier

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Dernier (20)

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

XPDDS18: EPT-Based Sub-page Write Protection On Xenc - Yi Zhang, Intel

  • 1. 1 EPT-Based Sub-Page Protection On Xen Yi Zhang <yi.z.zhang@linux.intel.com>
  • 3. 3 EPT-Based Sub-Page Protection Design 3 SPP Overview EPT-Based Sub-Page Protection (SPP) - Allow write-protecting guest physical memory at a sub-page (128byte) granularity 4K Page Original Page Write-Protection Granularity EPT-Based SPP With SPP 128 byte ··· 32 × 128 byte Sub Pages
  • 4. 4 EPT-Based Sub-Page Protection Design 4 Implementation  Sub-page protection overall picture  Sub-page permission table  Sub-page permission table pointer  Sub-page permission table induced VM Exit  Sub-page permission table capability  Sub-page permission table enforcement  Hypercalls to set/get Sub-Page Write Protection
  • 5. 5 EPT-Based Sub-Page Protection Design 5 Guest Physical Address (GPA) Original EPT: EPT-Based SPP Walk EPT 1 EPT leaf entry Writable? Y N Write access to page Write access denied GPA Walk EPT 1 1 61 EPT leaf entry Writable? Y Write access to page Walk SPP Table SPP table pointer in VMCS 1 0 0 1 63 ··· 2 128 byte 128 byte ··· Physical Page Allow Deny SPPT L1E format 0+2i : sub-page write access 1+2i : reserved 1 N VM_exit
  • 6. 6 EPT-Based Sub-Page Protection Design 6 Sub-page Permission Table (SPPT)  Sub-page Permission Table • 4-level paging structure • Set up by hypervisor • Walked by hardware  Sub-page Permission Table Pointer • 64-bit control field on VMCS • Point to the SPPT L4 table
  • 7. 7 EPT-Based Sub-Page Protection Design 7 Sub-page Permission Table (SPPT)  Most like EPT table, the SPPT L4E L3E L2E format are defined as below figure: | :------------------ | :-------------------------------------------------------------------------------------------------------- | | Bit | Contents | | :------------------ | :-------------------------------------------------------------------------------------------------------- | | 0 | Valid entry when set; indicates whether the entry is present | | 11:1 | Reserved (0) | | N-1:12 | Physical address of 4K aligned SPPT LX-1 Table referenced by the entry | | 51:N | Reserved (0) | | 63:52 | Reserved (0) | | :------------------ | :-------------------------------------------------------------------------------------------------------- |  The SPP L1E format is defined as below figure: | :------------------ | :-------------------------------------------------------------------------------------------------------- | | Bit | Contents | | :------------------ | :-------------------------------------------------------------------------------------------------------- | | 0+2i | Write permission for i-th 128 byte sub-page region. | | 1+2i | Reserved (0). | | :------------------ | :-------------------------------------------------------------------------------------------------------- | Note: `0<=i<=31`
  • 8. 8 EPT-Based Sub-Page Protection Design 8 Sub-page permission table induced VM Exit An SPPT paging-structure entry contains an unsupported value during SPPT lookup. SPPT paging-structure entries are not present during SPPT lookup. • SPP Misconfiguration • SPP Miss • EPT violation VM Exits due to SPPT Memory writes that consult but are not permitted by the SPPT cause EPT violations normally. NOTE SPP Vm Exits reason value is 66. SPP Misconfiguration and SPP Miss Vm Exits can be told by exit qualification bit 11, set for SPP Miss, cleared for SPP Misconfig.
  • 9. 9 EPT-Based Sub-Page Protection Design 9 Sub-page Permission Table View SPPTP SPP miss SPP missconfig setup spp table 0 EPT violation not present unsupported value
  • 10. 10 EPT-Based Sub-Page Protection Design 10 Sub-page permission table capability IA32_VMX_PROCBASED_CTLS2 Secondary Proc-Based VM-Execution Controls MSR 0x48b 031 23 SPP Bit Capability on VMX MSR Enabling on VMCS Control fields bit [23] = 1 SPP is globally enabled
  • 11. 11 EPT-Based Sub-Page Protection Design 11 Sub-page permission table enforcement • Bit 61 of an EPT PTE is changed to “Sub-Page Permission” (SPP bit). • Setting this bit allows write permissions for the page to be enforced on a sub-page basis . EPT leaf paging-structure entries 63 61 physical address of page N-1 12 02 SPP physical page Set to act on
  • 12. 12 EPT-Based Sub-Page Protection Design 12 Hypercalls to set/get Sub-Page Write Protection: • Defined 2 hypercalls to set/get subpage write protection bitmap per gfn, each gfn corresponds to a bitmap. • The host management application, xl, or some other security control daemon. will set the protection bitmap via this pair of hypercall.
  • 13. 13 EPT-Based Sub-Page Protection Design 13 User Case Ⅰ Security data structure protection 4K PageAllocated User Data U32 Protected_bitmap User ID Un-Protected Protected 32 × 128 byte Sub Pages Private Key Mobile Number Public Email Billing Infor Name … Protected Un-Protected Un-Protected Protected Un-Protected Origin 4K page
  • 14. 14 EPT-Based Sub-Page Protection Design 14 User Case Ⅰ VM 4K Page User ID Private Key Mobile Number Public Email Billing Infor Name … Origin 4K page EPT table SPP table Client write Approve VM Exit VMM HPA User ID Security check Denied write
  • 15. 15 EPT-Based Sub-Page Protection Design 15 User Case Ⅱ Device mmio space protection 4K Page dev mmio space U32 Protected_bitmap Sensitive Reg Set[0] Un-Protected Protected 32 × 128 byte Sub Pages Sensitive Reg Set[2] Public Reg Set[...] Public Reg Set[3] Sensitive Reg Set[31] Public Reg Set[1] … Protected Un-Protected Un-Protected Protected Un-Protected 4K mmio space
  • 16. 16 EPT-Based Sub-Page Protection Design 16 User Case Ⅱ EPT table SPP table public register set sensitive register set Device GPA VM ApproveTrap & Emulate VM Exit
  • 17. 17 EPT-Based Sub-Page Protection Design 17 Resource Intel SDM: https://software.intel.com/sites/default/files/managed/c5/15/architecture-instruction-set- extensions-programming-reference.pdf Xen Patch link: https://lists.xenproject.org/archives/html/xen-devel/2017-10/msg02215.html KVM Patch link: https://lkml.org/lkml/2017/10/13/460
  • 18. Q & A