I am working on a system that requires a system provides isolation between various system components and we are looking at using Xen to do this. One of our requirements is that the code that enforces the separation is small and inspectable. At first blush, the Xen code appears to meet this, but I have a nagging concern that a mis-designed GuestOS could bypass Xen. I don''t have any specific reason to believe this, but I wanted to ask if anyone can comment on whether this is possible, given the design of Xen. So, the two questions are: (1) Can a GuestOS ever bypass the Xen boundaries? (2) How big (in lines of code) is the subsystem in Xen that enforces this? Thanks in advance. Any help is greatly appreciated. Charlie Charlie Woloszynski Innovative Concepts Inc. 703-893-2007 x506 charles.woloszynski@innocon.com
> So, the two questions are: > (1) Can a GuestOS ever bypass the Xen boundaries?We can''t guarantee there aren''t bugs in Xen, but that''s certainly the design goal. Maintaining isolation between guests is paramount. The trick is doing it with good performance. That''s what makes Xen fun to work on ;-)> (2) How big (in lines of code) is the subsystem in Xen that enforces this?The hard/clever part is memory protection. That''s mostly implemented in common/memory.c which is 1100 lines. The whole of Xen is 20 times that, but there''s a lot of hardware initialisation code etc that isn''t "guest facing". Ian ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Xen-devel mailing list Xen-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/xen-devel