Kernel: New Mesa RC, KVM Update, and Security Posturing From NSA-Connected Companies
-
[ANNOUNCE] mesa 22.2.0-rc2
Hi list,
It's that time again, mesa 22.2-rc2 is now avilaable. We've had lots of changes here, including a bug in my release script setting the version to 22.2.0 (oops)! Per normal, Mike is leading the pack with zink changes, but we've got fixes all over the tree here.
See you again next week, same bat time, same bat channel, Dylan -
Direct host system calls from KVM [LWN.net]
As a general rule, virtualization mechanisms are designed to provide strong isolation between a host and the guest systems that it runs. The guests are not trusted, and their ability to access or influence anything outside of their virtual machines must be tightly controlled. So a patch series allowing guests to execute arbitrary system calls in the host context might be expected to be the cause of significantly elevated eyebrows across the net. Andrei Vagin has posted such a series with the expected results.
The use case for Vagin's work is gVisor, a container-management platform with a focus on security. Like a full virtualization system, gVisor runs containers within a virtual machine (using KVM), but the purpose is not to fully isolate those containers from the system. Instead, KVM is used to provide address-space isolation for processes within containers, but the resulting virtual machines do not run a normal operating-system kernel. Instead, they run a special gVisor kernel that handles system calls made by the contained processes, making security decisions as it goes.
That kernel works in an interesting way; it maps itself into each virtual machine's address space to match its layout on the host, then switches between the two as needed. The function to go to the virtual-machine side is called, perhaps inevitably, bluepill(). The execution environment is essentially the same on either side, with the same memory layout, but the guest side is constrained by the boundaries placed on the virtual machine.
-
Google wants to make Linux kernel flaws harder to exploit [Ed: ZDNet's Microsoft booster says "Google wants to make Linux kernel flaws harder to exploit", but it was actually Google that put NSA back-doored ciphers inside the Linux kernel. Selective amnesia?]