Overview

Why qemu need security?
There are several cases where security is needed like The virtualization use cases rely on hardware virtualization extensions to execute guest code safely on the physical CPU at close-to-native speed.

The following entities are untrusted, meaning that they may be buggy or malicious:

• Guest
• User-facing interfaces (e.g. VNC, SPICE, WebSocket)
• Network protocols (e.g. NBD, live migration)
• User-supplied files (e.g. disk images, kernels, device trees)
• Passthrough devices (e.g. PCI, USB)

Bugs affecting these entities are evaluated on whether they can cause damage in real-world use cases and treated as security bugs if this is the case.

Standard Options

-boot [order=drives][,once=drives][,menu=on|off][,splash=sp_name][,splash-time=sp_time][,reboot-timeout=rb_timeout][,strict=on|off]

Specify boot order drives as a string of drive letters. Valid drive letters depend on the target architecture. The x86 PC uses: a, b (floppy 1 and 2), c (first hard disk), d (first CD-ROM), n-p (Etherboot from network adapter 1-4), hard disk boot is the default. To apply a particular boot order only on the first startup, specify it via once. Note that the order or once parameter should not be used together with the bootindex property of devices, since the firmware implementations normally do not support both at the same time.

Usb Controller

A Universal Serial Bus (USB) host controller is an interface that allows an enabled piece of hardware to interact and communicate with a particular piece of software. The USB connection is an input and output port that comes standard with most computers and a variety of other digital equipment that allows data to be transmitted through a cable or any other form of direct connection. A USB host controller manages the communication between peripheral devices and the computer system. Most modern computers have hi-speed host controllers and many older computers can have a host controller easily installed in an open slot on its motherboard

There are several types of USB host controller interface that support different types of USB ports. The open host controller interface (OHCI) is the standard for most and even supports USB 1.1. The universal host controller interface (UHCI) from Intel® supports USB 1 in both fast and slow speeds. Other types of host controller interfaces include the enhanced host controller interface (EHCI)USB2.0, which is rated super-fast by publicly specified standards, and the newest host controller standard, called the extensible host controller interface (xHCI) USB3.0. The xHCI has been designed for improved speed, power, and efficiency than its predecessors.

Serial/Parallel/Console

Serial Port vs Parallel Port

Serial port is used to connect a serial device to the computer and capable of transmitting one bit at a time.

serial port used for

• Mouse - One of the most commonly used devices for serial ports, usually used with computers with no PS/2 or USB ports and specialty mice.

Parallel port is used to connect a parallel device to the computer and capable of transmitting 8 bits at a time.
parallel port used for?

Today, the parallel port has widely been replaced by the USB port. However, below is a listing of various hardware components that were used with the parallel port

• Printer - The most common use for the parallel port.
• Scanner - Another commonly used parallel device is a parallel port scanner. Parallel port scanners are a popular alternative to SCSI scanners because of how easy they are to install.

The main difference between a serial port and a parallel port is that a serial port transmits data one bit after another, while a parallel port transmits all 8 bits of a byte in parallel. Thus a parallel port transmits data much faster than a serial port.

The ports COM1 and COM2 on your computer are serial ports and the LPT1 port is a parallel port.

Common serial port(builtin motherboard/isa serial) names are /dev/ttyS0, /dev/ttyS1, etc. Then around the year 2000 came the USB bus with names like /dev/ttyUSB0 and /dev/ttyACM1 (for the ACM modem on the USB bus). Multiport serial card used somewhat differnt names (depending on the brand) such as /dev/ttyE5.

1
2
3
4
5
6
7
8
9
10

# check how many serial ports that a PC has
$ ls /dev/ttyS*
/dev/ttyS0  /dev/ttyS1  /dev/ttyS2  /dev/ttyS3

# if it's usb serial port(converted usb port to serial port)
$ ls /dev/USB*
/dev/ttyUSB0  /dev/USB1 /dev/USB2 /dev/USB3

# check perallel ports
$ ls /dev/lp*

Overview

Memory ballooning is a memory management feature used in most virtualization platforms which allows a host system to artificially enlarge its pool of memory by taking advantage or reclaiming unused memory previously allocated to various virtual machines.
This is achieved through a balloon driver which is installed on the guest operating system which the hypervisor communicates with when it needs to reclaim memory through ballooning.

Through memory ballooning, a host server can reclaim unused memory from other less busy virtual machines and reassign it to ones that require it more. Theoretically, a server with 32GB of memory might be able to support a combined virtual machine memory capacity allocation of 64GB simply because all of those virtual machines will not be using the maximum amount of memory they have been assigned at the same time.

Introduction

For performance issue, like a rpc all takes long time, you want to know which function takes much time without modifying source code and restart libvirt, also you want to collect stats of libvirt, here I will share the way to meet this reqirement, the core tool is systemtap, you can also refer to linux systemtap guide which shows how to enable systemtap and write probes. with systemtap, you can insert any code outside application without restarting it or rebuilding it

Introduction

SystemTap provides the infrastructure to monitor the running Linux kernel and application for detailed analysis. This can assist administrators and developers in identifying the underlying cause of a bug or performance problem. SystemTap is designed to eliminate this and allows users to gather the kernel information by running user-written SystemTap scripts., you do NOT need to write kernel module, compile it and load it by yourself, you just write systemtap script, then systemtap framework does all other things for you(which actually use kprobe)

For short， add hooks at point event(function enter, function return etc) for running application or kernel, in hooks print or check something.

How it works

1. First, SystemTap checks the script against the existing tapset library (normally in /usr/share/systemtap/tapset/ for any tapsets used. SystemTap will then substitute any located tapsets with their corresponding definitions in the tapset library.
2. SystemTap then translates the script to C, running the system C compiler to create a kernel module from it. The tools(stap) that perform this step are contained in the systemtap package
3. SystemTap loads the module, then enables all the probes (events and handlers) in the script. The staprun in the systemtap-runtime package provides this functionality.
4. As the events occur, their corresponding handlers are executed.
5. Once the SystemTap session is terminated, the probes are disabled, and the kernel module is unloaded.

Overview

why need intial ram disk
Many Linux distributions ship a single, generic Linux kernel image – one that the distribution’s developers create specifically to boot on a wide variety of hardware. The device drivers for this generic kernel image are included as loadable kernel modules because statically compiling many drivers into one kernel causes the kernel image to be much larger, in some cases to cause boot-time crashes or other problems due to probing for inexistent or conflicting hardware. This static-compiled kernel approach also leaves modules in kernel memory which are no longer used or needed, and raises the problem of detecting and loading the modules necessary to mount the root file system at boot time, or for that matter, deducing where or what the root file system is.

To avoid having to hardcode handling for so many special cases into the kernel, an initial boot stage with a temporary root file-system(ram disk with temporary root fs) is used. This temporary root file-system can contain user-space helpers which do the hardware detection, module loading and device discovery necessary to get the real root file-system mounted

initial ramdisk is for loading a temporary root file system into memory, to be used as part of the Linux startup process. initrd and initramfs refer to two different methods of achieving this. Both are commonly used to make preparations before the real root file system can be mounted, if no real root file system is proivdes, the initial ramdisk is used for root file system which is in memory.

The bootloader will load the kernel and initial root file system image into memory and then start the kernel, passing in the memory address of the image. At the end of its boot sequence, the kernel tries to determine the format of the image from its first few blocks of data, which can lead either to the initrd or initramfs scheme.

Overview

In this article, we only give you the knowledge of qemu-kvm without libvirt, say how to start vm by running qemu-kvm itself and others.