SMEP and KVM – sounds interesting

Recently a patch was dropped into the KVM community – adding support for the Intel SMEP cpu feature (if available on the CPU). I thought to myself, what the hell is SMEP?

According to the Intel Software Developers Manual it is “Supervisor-Mode Execution Prevention” – this sounds like a great thing as the kernel is prevented from executing ‘user data’ in kernel mode – ie. If there is an exploit that delivers a page of data and asks the kernel to execute it then this wont happen and a fault will be triggered. This sounds like a neat piece of work and as it’s all h/w based then there should be little overhead.

Like me, i’m guessing you’re wondering if your system has the SMEP cpu feature then this code will show you. Don’t be disappointed if your cpu doesn’t have it – it’s a very new feature and I can’t even find what cpu’s implement it.

Anyway, it’s a step in the right direction and that future direction will hopefully allow hypervisors to be that little bit more secure from un-trusted VM’s and provide a VM ‘shell’ environment that’s a little more secure for the VM’s. Unfortunately the way things currently stand the usefulness for KVM is unlikely to be immediately realised as intel engineers suggest enabling SMEP without a guest vm’s knowledge is likely to be ‘problematic’.

Advertisements

Tidbit #2

  • Over at the Citrix Community Blog they continue their discussion about using powershell to mange XenDesktop.   To me, powershell is ok, and it’s really nice to see what is a dramatic improvement in windows scripting capability but when you’ve come from a Linux platform with the wealth of scripting languages available you struggle to be super impressed.  Don’t get me wrong powershell is a fantastic step forward for windows scripting.   That being said, a lot of virtualisation vendors are putting considerable effort into adding cmdlets for powershell to manage their hypervisors.  Those toolkits often aren’t available in equivalent form for Linux so even with the superior scripting possibilities you’re lacking the high level virtualisation constructs to wrap that wonderful scripting technology around.   There’s a definite trend to manage virtual infrastructure with powershell.  Personally, i’d prefer another option.
  • Oracle transforms SGE (Sun grid Engine) from free to 90 day evaluation.  It’s pretty sad, but Oracle is far better at making money than sun was so I can understand why they’re doing it.   I’m not sure the current user base is sufficiently cashed up to make the transition and I suspect most will look around for alternatives and only pay if they can’t find one.
  • Oracle released a white paper on Architectural Strategies for Cloud Computing
  • Citrix and HP produced an interesting whitepaper on Analyzing Citrix XenServer persistent performance metrics from Round Robin Database logs – it’s important to measure and monitor performance of your virtual infrastructure, you pay enough for it, make sure it’s performing properly 🙂
  • Something of interest to me is Google have finally released their chat client for Linux.  Am I still a second class google citizen because I run Linux?
  • Veeam released a lite (read as free) version of their reporter product
  • An excellent summary of The State of Open Source System Automation by Aleksey Tsalolikbin over at linux-mag is well worth a look if you want to understand the state of play for linux automation.
  • RHEV bug RHSA-2010:0627-01 DoS or possible privilege escalation on the host.  The geek in me wants to explore this a bit more – damn you free time, where are you.
  • Another excellent whitepaper on VMware vCenter Server Performance and Best Practices for vSphere 4.1 from vmware.
  • Great howto on Installing And Using OpenVZ On Ubuntu 10.04.   Openvz creates secure Linux containers.   If you’re only running a Linux workload and thinking about virtualising it then it’s worth a closer look.  Of course libvirt can manage openvz based linux virtualisation.

pxe boot kvm guests

Bang Bang Bang – that’s my head on the table.  Why wont my Ubuntu Lucid KVM system PXE boot VM’s

Starting SeaBIOS (version 0.5.1-20100120_010601-rothera)

No bootable device.

Is all I got when using -boot n

Clearly something was wrong – and it was = there were no pxe boot roms in /usr/share/kvm .

It seems the problem sources back to this original ubuntu bug report which details how Ubuntu wouldn’t  ship the PXE roms as there is no source for them.

Anyway, I needed to install kvm-pxe from lucid universe and hey presto :

# dpkg -L kvm-pxe
/.
/usr
/usr/share
/usr/share/kvm
/usr/share/kvm/pxe-e1000.bin
/usr/share/kvm/pxe-ne2k_pci.bin
/usr/share/kvm/pxe-pcnet.bin
/usr/share/kvm/pxe-rtl8139.bin
/usr/share/kvm/pxe-virtio.bin

PXE booting now works….  you may all return to your scheduled viewing.