Inkampani yeSiemens
I-hypervisor iphunyezwa njengemodyuli ye-Linux kernel kwaye ibonelela ngokubonakalayo kwinqanaba le-kernel. Amacandelo eenkqubo zeendwendwe sele ebandakanyiwe kwi-Linux kernel engundoqo. Ukulawula ukubekwa wedwa, iindlela ze-hardware ze-virtualization ezibonelelwa zii-CPU zanamhlanje ziyasetyenziswa. Iimpawu ezahlukileyo zeJailhouse kukuphunyezwa kwayo okukhaphukhaphu kwaye kugxininise ekubopheleleni koomatshini ababonakalayo kwi-CPU esisigxina, indawo ye-RAM kunye nezixhobo zehardware. Le ndlela ivumela umncedisi omnye we-multiprosesa womzimba ukuba axhase ukusebenza kweendawo ezininzi ezizimeleyo ezizimeleyo, nganye kuzo yabelwe undoqo wayo weprosesa.
Ngekhonkco eliqinileyo kwi-CPU, i-overhead ye-hypervisor iyancitshiswa kwaye ukuphunyezwa kwayo kwenziwa lula kakhulu, kuba akukho mfuneko yokuqhuba umcwangcisi wolwabiwo lwezixhobo ezintsonkothileyo - ukwabiwa kwe-CPU engundoqo iqinisekisa ukuba akukho minye imisebenzi eyenziwa kule CPU. . Inzuzo yale ndlela kukukwazi ukubonelela ukufikelela okuqinisekisiweyo kwizibonelelo kunye nokusebenza okuqikelelweyo, okwenza i-Jailhouse ibe isisombululo esifanelekileyo sokudala imisebenzi eyenziwa ngexesha langempela. Icala elisezantsi lilinganiselwe, lilinganiselwe linani le-CPU cores.
Kwisigama seJailhouse, iimeko ezingqongileyo ezibonakalayo zibizwa ngokuba βziikhameraβ (iseli, kumxholo wentolongo). Ngaphakathi kwekhamera, inkqubo ibonakala ngathi yiseva yeprosesa enye ebonisa ukusebenza
Kukhululo olutsha
- Inkxaso eyongeziweyo ye-Raspberry Pi 4 Model B kunye ne-Texas Instruments ii-platforms ze-J721E-EVM;
-
Iphinde yasebenza ivshmem isixhobo esisetyenziselwa ukuququzelela intsebenziswano phakathi kweeseli. Ngaphezulu kwe-ivshmem entsha, unokuphumeza isithuthi se-VIRTIO; - Kuphunyezwe ukukwazi ukukhubaza ukuyilwa kwamaphepha enkumbulo amakhulu (iphepha elikhulu) ukubhloka ukuba sesichengeni.
I-CVE-2018-12207 kwi-Intel processors, evumela umhlaseli ongekho sikweni ukuba aqalise ukwaliwa kwenkonzo okukhokelela ekubeni inkqubo ixhonywe kwindawo ethi "Khangela impazamo yoMtshini"; - Kwiinkqubo ezine-ARM64 processors, inkxaso ye-SMMUv3 (Iyunithi yoLawulo lweMemori yeSistim) kunye ne-TI PVU (i-Peripheral Virtualization Unit) iphunyeziwe. Inkxaso ye-PCI yongezwe kwiindawo ezizimeleyo ezisebenza phezu kwe-hardware (intsimbi engenanto);
- Kwiinkqubo ze-x86 zeekhamera zeengcambu, kunokwenzeka ukuba wenze imo ye-CR4.UMIP (i-User-Mode Instruction Prevention) imowudi enikezelwa yi-Intel processors, ekuvumela ukuba uthintele ukuphunyezwa kwindawo yomsebenzisi wemiyalelo ethile, njenge-SGDT, SLDT, SIDT , I-SMSW kunye ne-STR, enokusetyenziswa ekuhlaselweni , ejolise ekwandiseni amalungelo kwinkqubo.
umthombo: opennet.ru