XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

•

0 gostou•524 visualizações

This talk is a follow-up to our Summit 2017 presentation in which we covered our plans for Intel VMFUNC and #VE, as well as related use-cases. This year, we will provide a report on what we have accomplished in Xen 4.12, and what remains to be addressed. We will also give a brief status update of VMI on AMD hardware. The session will end with some real-world numbers of the Hypervisor Introspection solution running on Citrix Hypervisor 8.0 with #VE enabled.

Software

Memories of a VM Funk
Mihai Donțu, Engineering Manager, Bitdefender

Outline
• 4.12 statistics
• VMI on AMD
• The 'Windows 10 RS4' event
• The A/D bits conundrum
• #VE / VMFUNC statistics with Citrix Hypervisor 8.0
• Intel Sub-Page Permission (SPP)

4.12 Statistics
• Xen releases since 2017's summit: 4.9, 4.10, 4.11, 4.12
• 68 patches, 45 in 4.12 alone
• 5 developers: Adrian Pop, Alexandru Isăilă, Petre Pîrcălabu,
Răzvan Cojocaru, Vlad Ioan Topan

VMI on AMD
• Basic vm_event support done
• All PT-walks trigger a write NPT #PF
• No Intel MTF-like support
• Realtime-VMI is essentialy a "no-go"

The 'Windows 10 RS4' event
• Huge slowdown due to frequent PT modifications
• Worked-around with a tiny in-guest filter (injected)
• Proper solution: #VE agent
• 64bit only

The A/D bits conundrum
• We need to emulate A/D bit updates
• There are three methods:
• Optimistic (PTE-level):
• If accessed is unset, set it
• If accessed is set, set dirty if PTE is writable
• Using the emulator: perform a full guest PT walk and update A/D according
to the current instruction
• Single-step via MTF

• #VE / VMFUNC statistics with Citrix Hypervisor 8.0
Firefox Chrome
Opening multiple pages in multiple tabs (Y: seconds)

• Intel Sub-Page Permission (SPP)
• Controlled by VMCS and EPTE[61]
• Write protection only
• Sub-page size: 128 bytes
• Protect OS structures smaller than 4K
• Mostly read-only but live in pages written often
• Typical candidates (Windows): driver objects, IDT, HAL dispatch
table

Mais conteúdo relacionado

Semelhante a XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender

ISBG 2015 - Challenge accepted: IBM Cloud onboarding & Upgrades to IBM Notes ...

Christoph Adler

Foreman plays a central role in today's open source datacenter infrastructure. Although the webinterface is nice and the Hammer CLI is useful for basic scripting in order to build complete deployment pipelines, you want all your infrastructure as code. This is what foreman_provision is about. This talk will detail the rational behind foreman_provision and will showcase how it might fill gaps in your fully automated infrastructure provisioning. About Nils Domrose Nils works for Germany based inovex GmbH as a senior linux systems engineer and system architect. He designs and implements opensource software defined datacenter solutions. During the last 15 years Nils worked as a systems engineer and software developer for various ISP and Telco companies and designed and deployed several large scale, multi national services. Event: Config Management Camp, Gent, 02.02.2016 Speaker: Nils Domrose, inovex GmbH Mehr Tech-Vorträge: https://www.inovex.de/de/content-pool/vortraege/

foreman_provision – Infrastructure as code

inovex GmbH

Organizations are investing in Splunk and ServiceNow for real-time enterprise-wide visibility for faster identification, mitigation and resolution of issues that can impact the business. However, without the mainframe, these solutions have a glaring blind spot. Applications span multiple platforms and networks, requiring an enterprise-wide view of security, critical incidents and outages that can bring business to a halt. The costs incurred to troubleshoot and remediate performance issues and outages can quickly become a major expense. Learn how leading IT organizations support critical security and operational enterprise initiatives by integrating important mainframe information with these platforms, without disrupting the mainframe, or the teams that support it. Watch this on-demand webinar to discover: · The benefits for including mainframe data in Splunk and ServiceNow · What you can learn with a complete view of your entire IT environment · Best practices for integrating mainframe data

Why Integrating IBM Z into ServiceNow and Splunk Is So Important

Precisely

Presentation design - key concepts and approaches for designing your deskto...

xKinAnx

.NET Core Summer event 2019 in Brno, CZ - .NET Core Networking stack and perf...

Karel Zikmund

Criteo Labs Infrastructure Tech Talk Meetup Nov. 7

Shuo LI

DNUG 2017 - IBM Notes Performance Boost - Reloaded

Christoph Adler

DotNext 2017 in Moscow - .NET Core Networking stack and Performance -- Karel ...

Karel Zikmund

PTC Windchill ESI 9.x Architecture

Gandhavalla Informatics Pvt Ltd.

After one year of regular work on our build mechanism and Continuous Integration infrastructure, we are able to provide RCP products, along with their complete test suite, more than 3 times faster than before. And guess what, we are using less physical resources. The path to this result was quite long and sometimes tedious, but we finally managed it. I will share our experience and provide tips so you can speed up your own build. I will also mention which improvements are coming. I will explain the methods used to identify bottlenecks and which technical solutions we applied (and the ones we dropped). This talk will go through the usage and possibilities brought by Tycho, Target Platforms, Hudson/Jenkins with some of its plugins and a Maven Repository Manager

Time to build and test results 3x faster - how we did it

Bonitasoft

Time to build and test results 3x faster - how we did it

Aurélien Pupier

Introduction to Core 4

simonjj

InfiniBox z pohledu zákazníka

MarketingArrowECS_CZ

The next version of Windows 10 is not just for the gamers and digital content creators, business users will have also a number of benefits. As Microsoft says, Windows 10 is built for modern IT, offering advanced features for security, manageability and new experiences for the business users driving the digital transformation inside of the corporate networks. This talk will cover the most important (and most expected) Windows 10 new and improved features for enterprise along with the best additions for business users.

Windows 10 Creators Update: what’s on tap for business users - Ionut Balan

ITCamp

Deskpool making vdi cost effective for smb

DongLiwu

The Best of MMS 2013

C/D/H Technology Consultants

7 reasons why video conferencing world will never

TrueConf

For the full video of this presentation, please visit: https://www.embedded-vision.com/platinum-members/intel/embedded-vision-training/videos/pages/may-2017-embedded-vision-summit-mcveigh For more information about embedded vision, please visit: http://www.embedded-vision.com Jeff McVeigh, Vice President in the Software and Services Group and General Manager of visual computing products at Intel, presents the "Vision for All?" tutorial at the May 2017 Embedded Vision Summit. So, you’ve decided to incorporate visual intelligence into your device or application. Will you need a team of computer vision PhDs working for years? Or will it simply be a matter of choosing the right off-the-shelf frameworks, modules and tools? The palette of available off-the-shelf computer vision software and algorithm resources is advancing fast. As a result, for some types of vision capabilities, it’s increasingly practical for software developers who aren’t vision specialists to add vision capabilities to their products. At the same time, there remain many use cases where development “from scratch” is required. In this talk, McVeigh shares his perspective on the state of vision software development today, where it’s heading, and the key opportunities and challenges in this realm for both novices and experts.

"Vision for All?," a Presentation from Intel

Edge AI and Vision Alliance

What's New in Hyper-V 2016 - Thomas Maurer

ITCamp

Presentation

joelvivekbandi

Semelhante a XPDDS19: Memories of a VM Funk - Mihai Donțu, Bitdefender (20)

ISBG 2015 - Challenge accepted: IBM Cloud onboarding & Upgrades to IBM Notes ...

foreman_provision – Infrastructure as code

Why Integrating IBM Z into ServiceNow and Splunk Is So Important

Presentation design - key concepts and approaches for designing your deskto...

.NET Core Summer event 2019 in Brno, CZ - .NET Core Networking stack and perf...

Criteo Labs Infrastructure Tech Talk Meetup Nov. 7

DNUG 2017 - IBM Notes Performance Boost - Reloaded

DotNext 2017 in Moscow - .NET Core Networking stack and Performance -- Karel ...

PTC Windchill ESI 9.x Architecture

Time to build and test results 3x faster - how we did it

Introduction to Core 4

InfiniBox z pohledu zákazníka

Windows 10 Creators Update: what’s on tap for business users - Ionut Balan

Deskpool making vdi cost effective for smb

The Best of MMS 2013

7 reasons why video conferencing world will never

"Vision for All?," a Presentation from Intel

What's New in Hyper-V 2016 - Thomas Maurer

Presentation

Mais de The Linux Foundation

Static partitioning is used to split an embedded system into multiple domains, each of them having access only to a portion of the hardware on the SoC. It is key to enable mixed-criticality scenarios, where a critical application, often based on a small RTOS, runs alongside a larger non-critical app, typically based on Linux. The two domains cannot interfere with each other. This talk will explain how to use Xen for static partitioning. It will introduce dom0-less, a new Xen feature written for the purpose. Dom0-less allows multiple VMs to start at boot time directly from the Xen hypervisor, decreasing boot times drastically. It makes it very easy to partition the system without virtualization overhead. Dom0 becomes unnecessary. This presentation will go into details on how to setup a Xen dom0-less system. It will show configuration examples and explain device assignment. The talk will discuss its implications for latency-sensitive and safety-critical environments.

ELC2019: Static Partitioning Made Simple

The Linux Foundation

TrenchBoot is a cross-community OSS integration project for hardware-rooted, late launch integrity of open and proprietary systems. It provides a general purpose, open-source DRTM kernel for measured system launch and attestation of device integrity to trust-centric access infrastructure. TrenchBoot closes the UEFI Measurement Gap and reduces the need to trust system firmware. This talk will introduce TrenchBoot architecture and a recent collaboration with Oracle to launch the Linux kernel directly with Intel TXT or AMD SVM Secure Launch. It will propose mechanisms for integrating the Xen hypervisor into a TrenchBoot system launch. DRTM-enabled capabilities for client, server and embedded platforms will be presented for consideration by the Xen community.

XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...

The Linux Foundation

Artem will briefly cover what has been done since the first talk on Xen in Automotive domain back in 2013, what is going on now and what is still missing for broad adaptation of Xen in vehicles. The following topics will be covered: Embedded/automotive features of Xen Collaboration with AGL and GENIVI organizations for standardization Efforts on Functional Safety compliance Artem will also go over typical automotive use scenarios for Xen which may not be the same as generic computing use of hypervisor.

XPDDS19 Keynote: Xen in Automotive - Artem Mygaiev, Director, Technology Solu...

The Linux Foundation

XPDDS19 Keynote: Xen Project Weather Report 2019 - Lars Kurth, Director of Op...

The Linux Foundation

In recent years unikernels have shown immense performance potential (e.g., boot times of only a few ms, image sizes of only hundreds of KBs).The fundamental drawback of unikernels is that they require that applications be manually ported to the underlying minimalistic OS, needing both expert work and often considerable amount of time. The Unikraft project provides a unikernel code base and build system that significantly simplifies the building of unikernels. In addition to support for a number CPU architectures, languages and frameworks, Unikraft provides debugging and tracing features that are generally sorely missing from unikernel projects. In this talk we will talk about these features, show a set of preliminary performance numbers, and provide a roadmap for the project's future.

XPDDS19 Keynote: Unikraft Weather Report

The Linux Foundation

XPDDS19 Keynote: Secret-free Hypervisor: Now and Future - Wei Liu, Software E...

The Linux Foundation

This talk will introduce Dom0-less: a new way of using Xen to build mixed-criticality solutions. Dom0-less is a Xen feature that adds a novel approach to static partitioning based on virtualization. It allows multiple domains to start at boot time directly from the Xen hypervisor, decreasing boot times dramatically. Xen userspace tools, such as xl and libvirt, become optional. Dom0-less extends the existing device tree based Xen boot protocol to cover information required by additional domains. Binaries, such as kernels and ramdisks, are loaded by the bootloader (u-boot) and advertised to Xen via new device tree bindings. The audience will learn how to use Dom0-less to partition the system. Uboot and device tree configuration details will be explained to enable the audience to get the most out of this feature. The talk will include a status update and details on future plans.

XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx

The Linux Foundation

As the number of contributions grow, reviewer bandwidth becomes a bottleneck; and maintainers are always asking for more help. However, ultimately maintainers must at least Ack every patch that goes in; so if you're not a maintainer, how can you contribute? Why should anyone care about your opinion? This talk will try to lay out some advice and guidelines for non-maintainers, for how they can do code review in a way which will effectively reduce the load on maintainers when they do come to review a patch.

XPDDS19 Keynote: Patch Review for Non-maintainers - George Dunlap, Citrix Sys...

The Linux Foundation

Safety certification is one of the essential requirements for software to be used in highly regulated industries. Besides technical and compliance issues (such as ISO 26262 vs IEC 611508) transitioning an existing project to become more easily safety certifiable requires significant changes to development practices within an open source project. In this session, we will lay out some challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the Xen Project has followed thus far and highlight lessons learned along the way. The talk will primarily focus on necessary process, tooling changes and community challenges that can prevent progress. We will be offering an in-depth review of how Xen Project is approaching this challenging goal and try to derive lessons for other projects and contributors.

OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...

The Linux Foundation

Safety certification is one of the essential requirements for software to be used in highly regulated industries. The Xen Project, a secure and stable hypervisor that is used in many different markets, has been exploring the feasibility of building safety certified products on top of Xen for a year, looking at key aspects of its code base and development practices. In this session, we will lay out the motivation and challenges of making safety certification achievable in open source and the Xen Project. We will outline the process the project has followed thus far and highlight lessons learned along the way. The talk will cover technical enablers, necessary process and tooling changes and community challenges offering an in-depth review of how Xen Project is approaching this exciting and and challenging goal.

OSSJP/ALS19: The Road to Safety Certification: How the Xen Project is Making...

The Linux Foundation

2018 saw fundamental shifts in security boundaries which were previously taken for granted. A lot of work has been done in the past 2 years, and largely in secret under embargo, but there is plenty more work to be done to strengthen the existing mitigations and to try to recover some performance without reopening security holes. This talk will look at speculative execution sidechannels, the work which has already been done to mitigate the security holes, and future work which hopes to bring some improvements.

XPDDS19: Speculative Sidechannels and Mitigations - Andrew Cooper, Citrix

The Linux Foundation

The Arm architecture provides a set of guidelines that any software should abide by when accessing the memory with MMU off and update page-tables. Failing to do so may result in getting TLB conflicts or breaking coherency. In a previous talk ("Keeping coherency on Arm"), we focused on updating safely the stage-2 (aka P2M) page-tables. This talk will focus on the boot code and Xen memory management. During this session, we will introduce some of the guidelines and when they should be used. We will also discuss how Xen boot sequence needs to be reworked to avoid breaking the guidelines.

XPDDS19: Keeping Coherency on Arm: Reborn - Julien Grall, Arm ltd

The Linux Foundation

For many years the QEMU codebase has contained PV backends for Xen guests, giving them paravirtual access to storage, network, keyboard, mouse, etc. however these backends have not been configurable as QEMU devices as their implementation did not fully adhere to the QEMU Object Model (QOM). Particularly the PV storage backend not using proper QOM devices, or qdevs, meant that the QEMU block layer needed to maintain legacy code that was cluttering up the source. This was causing push-back from the maintainers who did not want to accept any patches relating to that Xen backend until it was 'qdevified'. In this talk, I'll explain the modifications I made to QEMU to achieve 'qdevification' of the PV storage backend, how compatibility with the libxl toolstack was maintained, and what the next steps in both QEMU and libxl development should be.

XPDDS19: QEMU PV Backend 'qdevification'... What Does it Mean? - Paul Durrant...

The Linux Foundation

PCI is a local computer bus for attaching hardware devices in a computer, and is the main peripheral bus on modern x86 systems. As such, having a proper way to emulate it is crucial for Xen to be able to expose both fully emulated devices or passthrough devices to guests. This talk will focus on the current status of PCI emulation in Xen, how and where it is used, what are its main limitations and future plans to improve it in order to be more robust and modular.

XPDDS19: Status of PCI Emulation in Xen - Roger Pau Monné, Citrix Systems R&D

The Linux Foundation

XPDDS19: [ARM] OP-TEE Mediator in Xen - Volodymyr Babchuk, EPAM Systems

The Linux Foundation

Xen is a very powerful hypervisor with a talented and diverse developers community. Despite the fact it's almost everywhere (from the Cloud to the embedded world), it can be difficult to set up and manage as a system administrator. General purpose distros have Xen packages, but that's just a start in your Xen journey: you need some tooling and knowledge to have a working and scalable platform. XCP-ng was built to overcome those issues: by bringing Xen to the masses with a fully turnkey distro with Xen as its core. It's the logical sequel to the XCP project, with a community focus from the start. We'll see how it happened, what we did, and what's next. Finally, we'll see the impact of XCP-ng on the Xen Project.

XPDDS19: Bringing Xen to the Masses: The Story of Building a Community-driven...

The Linux Foundation

XPDDS19: Will Robots Automate Your Job Away? Streamlining Xen Project Contrib...

The Linux Foundation

High level toolstacks for server and cloud virtualization are very mature with large communities using and supporting them. Client virtualization is a much more niche community with unique requirements when compared to those found in the server space. In this talk, we’ll introduce a client virtualization toolstack for Xen (redctl) that we are using in Redfield, a new open-source client virtualization distribution that builds upon the work done by the greater virtualization and Linux communities. We will present a case for maturing libxl’s Go bindings and discuss what advantages Go has to offer for high level toolstacks, including in the server space.

XPDDS19: Client Virtualization Toolstack in Go - Nick Rosbrook & Brendan Kerr...

The Linux Foundation

Today Xen is scheduling guest virtual cpus on all available physical cpus independently from each other. Recent security issues on modern processors (e.g. L1TF) require to turn off hyperthreading for best security in order to avoid leaking information from one hyperthread to the other. One way to avoid having to turn off hyperthreading is to only ever schedule virtual cpus of the same guest on one physical core at the same time. This is called core scheduling. This presentation shows results from the effort to implement core scheduling in the Xen hypervisor. The basic modifications in Xen are presented and performance numbers with core scheduling active are shown.

XPDDS19: Core Scheduling in Xen - Jürgen Groß, SUSE

The Linux Foundation

The use of Virtual GPUs (vGPUs) has widely grown in server farms to give Virtual Machines (VMs) dedicated graphics. Software rendering with virtual CPUs can only take us so far and even with Intel-GVT, which uses integrated graphics, there isn't enough power to do the fun stuff. In this presentation, Jon Farrell will be talking about the process of implementing AMD MxGPU on Xen, challenges that he encountered while doing it, and discussing performance metrics of bare metal and vGPU VM on popular benchmarks like 3D Mark* and The Witcher 3. To wrap up his presentation, Jon will share his thoughts about future research and where this technology can take us.

XPDDS19: Implementing AMD MxGPU - Jonathan Farrell, Assured Information Security

The Linux Foundation

Mais de The Linux Foundation (20)