openbsd vmm vmd update
play

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 - PowerPoint PPT Presentation

Apr 03, 2024 •251 likes •729 views

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 Tokyo, Japan Agenda Where we were a year ago Current status Future plans Q&A One Year Ago ... Reasonably complete support for OpenBSD and Linux guests

  1. OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2019 20 Mar 2019 – Tokyo, Japan

  2. Agenda ● Where we were a year ago ● Current status ● Future plans ● Q&A

  3. One Year Ago ... ● Reasonably complete support for OpenBSD and Linux guests ● amd64 and i386 host support ● SVM/VMX support ● Scaffolding and tools to support the above – vmd(8)/vmctl(8)

  4. This Past Year ... ● Adding new/core features – Disk snapshotting – Template VMs ● Security Improvements – Removing lazy FPU support – L1TF mitigation ● Platform improvements – Bug fixing / paying down technical debt

  5. This Past Year (cont’d) ... ● Community involvement – Commercial deployments of vmm hosting providers – Usage of vmm(4) without vmd(8) for other use cases

  6. 2018 vmm(4) Improvements ● Platform improvements ● Correctness improvements ● Performance/stability improvements ● Security improvements ● Some of these improvements impart new functionality, some are bug fixes

  7. 2018 vmm(4) Platform Improvements ● Platform improvements – Instruction emulation improved – Support added for qemu fw_cfg interface – Support guest OS %drX registers – Platform support for PXE boot – Implement missing PIC functionality

  8. 2018 vmm(4) Platform Improvements ● Instruction emulation fixes/improvement – RDTSCP – Incorrect implementation broke SmartOS boot – MONITOR/MONITORX – Broke booting Linux on Ryzen hosts ● QEMU fw_cfg interface support – Allows passing boot parameters from SeaBIOS into the VM

  9. 2018 vmm(4) Platform Improvements ● Support for guest %drX registers – Allows hardware breakpoint usage inside guest VM – (OpenBSD doesn’t use these itself, was a subject of a security vulnerability affecting other OSes last year)

  10. 2018 vmm(4) Platform Improvements ● Platform support for PXE boot – Implemented after last EuroBSDcon – Requires iPXE extension ROM image – Can be handled for OpenBSD guests differently (discussed later) ● Implemented missing PIC functionality – Basically bug fixes

  11. 2018 vmm(4) Correctness Improvements ● Correctness improvements – Many fixes in CPUID emulation – Add support for older CPUs without XSAVE – Handle certain SMM-related MSRs properly

  12. 2018 vmm(4) Correctness Improvements ● CPUID improvements – Handle misreported large leaf function #s – Proper topology reporting – Handle bizarre “rex extended CPUID” instruction used in TempleOS – Properly report physical address limits for the host CPU ● Allows VMs with much larger memory

  13. 2018 vmm(4) Correctness Improvements ● Support CPUs without XSAVE – Older CPUs don’t have this ● Handle reserved SMM-related MSRs – SDM reference guide says these should #GP on use (previously ignored, or returned 0)

  14. 2018 vmm(4) Performance Improvements ● We improved the SVM situation significantly last year … – Interrupt window handling was totally broken before (fixed) – RFLAGS.IF handling was totally broken before (fixed) – Each exit would lock/unlock the kernel lock up to 4 times during exit processing before (now zero)

  15. 2018 vmm(4) Performance Improvements ● #UD on VMX instructions – “Inspired” by a KVM bug – Previously, guest usermode program could crash the VM since these instructions exit before checking CPL ● We would terminate the VM before … ● #GP on invalid %cr0 / %cr4 bits – Previously terminated the guest

  16. 2018 vmm(4) Performance Improvements ● Many of these improvements replaced “terminate the guest” with functionality appropriate for the case – The “terminate the guest” on anything unexpected was a remnant from early development – We can start to relax these conditions now

  17. 2018 vmm(4) Security Improvements ● Removed lazy FPU handling as part of the larger OS-wide effort ● And of course there was L1TF last August...

  18. 2018 vmm(4) Security Improvements ● L1TF primer – Allows read of data in L1 cache – EPT addresses are treated as physical addresses (!) – Basically means a guest can read data out of L1 that likely was placed there while running in VMX root mode

  19. 2018 vmm(4) Security Improvements ● L1TF entry semantics (now) – Flush L1 cache – Enter guest – … ● How do you flush L1? – And is it only L1D or is there L1I → L1D leakage too?

  20. 2018 vmm(4) Security Improvements ● New microcode has “flush L1” command MSR ● What if you don’t have the new microcode? – Read a bunch of junk, hopefully fill all of L1D what you read – What about the cachelines you touch after that, but before the entry (guest CPU registers)? – And what about L1I, anyway?

  21. 2018 vmm(4) Security Improvements ● Our L1TF ‘junk’ data consists of 64KB of ‘0xcc’, just in case there is L1D→L1I leakage – Of course nobody who knows has said anything

  22. 2018 vmm(4) Security Improvements ● Maxime from NetBSD also reported a bug in our handling of xsetbv arguments ● Thanks Maxime!

  23. 2018 vmd(8)/vmctl(8) Improvements ● Most of the more impactful improvements came in vmd(8) and vmctl(8) – Qcow2 disk support – Disk snapshots – Template VMs – More user friendly vmctl(8) options

  24. 2018 vmctl(8)/vmd(8) Improvements ● Qcow2 disk support – Supported in “standalone” or “base + snapshot” mode – Integrated into vmctl(8) and vmd(8) ● Old “raw” format still supported – Both modes “sparse” but qcow2 is “lazy allocated” (image grows over time)

  25. 2018 vmd(8)/vmctl(8) Improvements ● Qcow2 (cont’d) – vmctl(8) can create qcow2 disks: -kadath- ~> vmctl create foo.raw -s 10g vmctl: raw imagefile created -kadath- ~> vmctl create foo.qcow2 -s 10g vmctl: qcow2 imagefile created -kadath- ~> ls -la foo.* -rw------- 1 mlarkin wheel 262144 Mar 18 21:30 foo.qcow2 -rw------- 1 mlarkin wheel 10737418240 Mar 18 21:30 foo.raw

  26. 2018 vmd(8)/vmctl(8) Improvements ● Qcow2 (cont’d) – vmctl(8) can convert disks: -kadath- ~> vmctl create foo2.raw -i foo.qcow2 vmctl: raw imagefile created -kadath- ~> ls -la foo* -rw------- 1 mlarkin wheel 262144 Mar 18 21:30 foo.qcow2 -rw------- 1 mlarkin wheel 10737418240 Mar 18 21:30 foo.raw -rw------- 1 mlarkin wheel 10737418240 Mar 18 21:33 foo2.raw

  27. 2018 vmd(8)/vmctl(8) Improvements ● Qcow2 (cont’d) – Sparseness is preserved: -kadath- ~> du -h foo* 192K foo.qcow2 192K foo.raw 192K foo2.raw

  28. 2018 vmd(8)/vmctl(8) Improvements ● Qcow2 (cont’d) – Base image + snapshot: -kadath- ~> vmctl create derived.qcow2 -s 10G -b foo.qcow2 vmctl: qcow2 imagefile created -kadath- ~> ls -la *qcow2 -rw------- 1 mlarkin wheel 262144 Mar 18 21:37 derived.qcow2 -rw------- 1 mlarkin wheel 262144 Mar 18 21:30 foo.qcow2

  29. 2018 vmd(8)/vmctl(8) Improvements ● Qcow2 (cont’d) – Base image + snapshot accumulates all disk changes in snapshot disk – Rollback? ● rm derived.qcow2 ● Restore previous derived.qcow2, restart VM – It would be nice to have rollback/rollforward be a new vmctl option (any takers?)

  30. 2018 vmd(8)/vmctl(8) Improvements ● vmctl(8) new command options for easier VM management – vmctl start -B xxx ● Set boot device (OpenBSD guests) ● Used for autoinstalling guest VMs via network (vmctl start -B net …) – vmctl stop -a ● Stop all VMs (used for shutdown scripts)

  31. 2018 vmd(8)/vmctl(8) Improvements ● vmctl(8) new command options for easier VM management – vmctl stop -f ● Force kill (terminate) a VM ● Don’t wait for vmmci(4)

  32. 2018 vmd(8)/vmctl(8) Improvements ● Template VMs – vmctl start -t – Allows for quick and easy “cloning” of VM settings -t name Use an existing VM with the specified name as a template to create a new VM instance. The instance will inherit settings from the parent VM, except for exclusive options such as disk, interface lladdr, or interface names.

  33. 2018 vmm(4)/vmd(8) Misc Improvements ● We finally retired i386 hosts – It served its purpose during early development – Found a lot of bugs – Wasn’t really worth maintaining anymore ● Of course i386 guests still work

  34. 2019 Goals ● We did pretty well reducing the bug count in 2018 – But there are still many ● Solicit community involvement – Glad to have lots of new faces at the vmm table ● SMP is likely my personal #1 goal – We’ve done just about everything else interesting

  35. New Ideas For vmm(4) ● Underjack update ● Nested virtualization update

  36. New Ideas For vmm(4) ● Last year I talked about the underjack approach – Putting vmm(4) underneath the host – Run host as a VM itself – Allows XO (execute only) memory in the host ● XO memory is one defence against ROP attacks – Go see Todd Mortimer’s talk about RETGUARD this week for another defence!

  37. New Ideas For vmm(4) ● Underjack (cont’d) – Kernel is working (was completed after last year’s BhyveCon) – How do you handle running VMs in vmm(4) when the host machine itself is a VM?

  38. New Ideas For vmm(4) ● Host/root partition approach – Host treated as VM until launching a new (child) VM in vmm(4) via vmctl(8) – Temporarily exit host VM – Enter guest context as usual – Re-enter host VM context after exit – Repeat ad nauseum ● This approach treats the host and guest VMs as peers of each other – Difficult to support nested XO memory

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org>

Porting OpenBSD Niall OHiggins <niallo@openbsd.org> Uwe Sthler <uwe@openbsd.org> OpenCON, 2005 Outline 1 Porting OpenBSD What It Takes Preparation Cross-Development The Boot Loader Building The Kernel Adapting Startup

1.59k views • 88 slides
OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 Tokyo, Japan Agenda Where

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 Tokyo, Japan Agenda Where

OpenBSD vmm/vmd Update Mike Larkin bhyvecon 2018 09 Mar 2018 Tokyo, Japan Agenda Where we were a year ago Current status Future plans Q&A One Year Ago ... Limited guest VM choices Decent support for OpenBSD

852 views • 33 slides
Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD

Supporting Radio Clocks in OpenBSD Marc Balmer < mbalmer@openbsd.org > micro systems/OpenBSD BSDConTr, Istanbul, Turkey Agenda 1 Introduction 2 Radio Clocks 3 Architectural Overview 4 Support for GPS-Receivers 5 Support for Time Signal

745 views • 35 slides
Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org

Reflections|Projections 2007 Using OpenBSD Security Features to Find Software Bugs Peter Valchev pvalchev@openbsd.org Overview of OpenBSD History Berkeley Software Distribution (BSD) First freely distributable BSD was released in June

810 views • 24 slides
Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction

Fuzzing the OpenBSD Kernel Part 1/N Anton Lindqvist <anton@openbsd.org> Introduction Fuzzing the OpenBSD kernel using the syzkaller kernel fuzzer. Heard about first on the BSD Now podcast back in April 2018. Ongoing effort, hence 1/N in

668 views • 15 slides
Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler

Using BGP for realtime import and export of OpenBSD spamd entries Peter Hessler phessler@openbsd.org OpenBSD 17 March, 2013 1 / 27 what is this spamd uses IP host entries, to whitelist, blacklist or greylist hosts spamd can import and

412 views • 27 slides
Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe

Mininet on OpenBSD Using rdomains for Interactive SDN Testing and Development Ayaka Koshibe akoshibe@openbsd.org AsiaBSDCon 2018 SDN? Network split into programmable nodes that handle traffic and entities that program them

372 views • 26 slides
LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1)

OpenBSD rc.d(8) LSE Summer Week 2016 16 July, 2016 Antoine Jacoutot <ajacoutot@openbsd.org> whoami(1) OpenBSD developer since 2006 ajacoutot@ aka aja@ sysmerge, rc.d, rcctl, libtool, stuff, other stuff >400 ports,

1.19k views • 64 slides
OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to

OpenBSD: add VMM to packer The red pill taken to develop a Go plugin for packer.io to be able to create VM images on OpenBSD for VMM and many other virtualizers. Philipp Bhler <pb@sysfive.com> @pb_double sysfive.com portfolio

510 views • 20 slides
OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org>

OpenSMTPD over the clouds the story of an HA setup Giovanni Bechis <giovanni@openbsd.org> Fosdem 2020, Brussels Historical setup some OpenBSD mail servers Postfix + Apache SpamAssassin + Amavisd-new + Courier Imap no shared

310 views • 20 slides
Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview

Removing ROP Gadgets from OpenBSD AsiaBSDCon 2019 Todd Mortimer mortimer@openbsd.org Overview Return Oriented Programming Removing ROP Gadgets Unaligned / Polymorphic Gadget Reduction Aligned Gadget Reduction Results Return

1.99k views • 99 slides
Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier

Design and Performance of the OpenBSD Stateful Packet Filter (pf) Daniel Hartmeier dhartmei@openbsd.org Systor AG Usenix 2002 p.1/22 Introduction part of a firewall, working on IP packet level (vs. application level proxies or ethernet

455 views • 33 slides
Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019

What did exist before? How does it work? What are the findings? What is the Conclusion? Measuring Performance on OpenBSD Alexander Bluhm bluhm@openbsd.org EuroBSDCon, September 2019 What did exist before? How does it work? What are the

491 views • 48 slides
OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

I n t ro d u c i n g OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org) ESDENERA NETWORKS GmbH Why do we need a web server in base? Serve the OpenBSD page. Why do we need a web server

264 views • 22 slides
Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees?

Game of Trees Stefan Sperling < stsp@openbsd.org > EuroBSDcon 2019 What is Game of Trees? Game of Trees is a work-in-progress version control system which attempts to be appealing to OpenBSD developers. designed and written from scratch

1.08k views • 72 slides
Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk

Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk

Recent work in OpenBSD relayd AsiaBSDCon 2013 Reyk Flter (reyk@openbsd.org) Agenda History & Background Recent work SSL Interception Socket

533 views • 19 slides
Institutionalizing FreeBSD Isolated and Virtualized Hosts Using bsdinstall(8) , zfs(8) and nfsd(8)

Institutionalizing FreeBSD Isolated and Virtualized Hosts Using bsdinstall(8) , zfs(8) and nfsd(8)

Institutionalizing FreeBSD Isolated and Virtualized Hosts Using bsdinstall(8) , zfs(8) and nfsd(8) editor@callfortesting.org @MichaelDexter BSDCan 2018 Jails and bhyve FreeBSDs had Isolation since 2000 and Virtualization since 2014 Why

1.13k views • 76 slides
RDMA over Commodity Ethernet at Scale Chuanxiong Guo, Haitao Wu, Zhong Deng, Gaurav Soni, Jianxi

RDMA over Commodity Ethernet at Scale Chuanxiong Guo, Haitao Wu, Zhong Deng, Gaurav Soni, Jianxi

RDMA over Commodity Ethernet at Scale Chuanxiong Guo, Haitao Wu, Zhong Deng, Gaurav Soni, Jianxi Ye, Jitendra Padhye, Marina Lipshteyn ACM SIGCOMM 2016 August 24 2016 Outline RDMA/RoCEv2 background DSCP-based PFC Safety challenges

462 views • 20 slides
Cluster Computing with OpenHPC Karl W. Schulz, Ph.D. Technical Project Lead, OpenHPC Community

Cluster Computing with OpenHPC Karl W. Schulz, Ph.D. Technical Project Lead, OpenHPC Community

http://openhpc.community Cluster Computing with OpenHPC Karl W. Schulz, Ph.D. Technical Project Lead, OpenHPC Community Scalable Datacenter Solutions Group, Intel HPC PCSYS YSPR PROS16 Workshop, SC16 November 14 ! Salt Lake City, Utah

697 views • 18 slides
A short introduction to our new rx7620 1 December 1, 2005 Basic Properties 8 CPUs - 1.6GHz

A short introduction to our new rx7620 1 December 1, 2005 Basic Properties 8 CPUs - 1.6GHz

A short introduction to our new rx7620 1 December 1, 2005 Basic Properties 8 CPUs - 1.6GHz Itanium2 (6MB L3 cache) 8GB RAM 14 PCI-X slots ( o nly ~8GB/s total I/O) Supports hardware partitioning No VGA port access

273 views • 11 slides
Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data

Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data

Overview of Distributed Computing signin.ritlug.com (pray it works!) Summary Data crunching (supercomputers) Rendering (render farms, Hollywood, Pixar, etc.) High availability (failover of things like web apps) Data

573 views • 19 slides
Scalability Testing of Kadeploy using Virtual Machines on Grid5000 Luc Sarzyniec, S

Scalability Testing of Kadeploy using Virtual Machines on Grid5000 Luc Sarzyniec, S

Scalability Testing of Kadeploy using Virtual Machines on Grid5000 Luc Sarzyniec, S ebastien Badia, Emmanuel Jeanvoine, Lucas Nussbaum Grid5000 Scalability testing of Kadeploy on Grid5000 1 / 10 Scalability Testing of Kadeploy

1.29k views • 45 slides
Xen-OSCAR: OSCAR Testing with Xen Geoffroy Vallee, Stephen L. Scott Oak Ridge National Laboratory

Xen-OSCAR: OSCAR Testing with Xen Geoffroy Vallee, Stephen L. Scott Oak Ridge National Laboratory

Xen-OSCAR: OSCAR Testing with Xen Geoffroy Vallee, Stephen L. Scott Oak Ridge National Laboratory Introduction OSCAR testing is difficult (for both OPKG and OSCAR core) need to setup a fresh head-node every time need to access

394 views • 18 slides
HPC @ UL & new Trends in Europe and Abroad Path to Exascale Dr. Sebastien Varrette Oct. 24

HPC @ UL & new Trends in Europe and Abroad Path to Exascale Dr. Sebastien Varrette Oct. 24

HPC @ UL & new Trends in Europe and Abroad Path to Exascale Dr. Sebastien Varrette Oct. 24 th , 2017 University of Luxembourg (UL), Luxembourg Keynote, 8th Intl. SuperComputing Camp (SC-Camp 2017), Cadiz, Spain Dr. Sebastien Varrette

1.56k views • 70 slides

More recommend