PV-in-PVH shim
                            ==============

Summary
-------

This README describes one of two mitigation strategies for Meltdown.

The basic principle is to run PV guests (which can read all of host
memory due to the hardware bugs) as PVH guests (which cannot, at least
not due to Meltdown).  The PV environment is still provided to the
guest by an embedded copy of Xen, the "shim".  This version of the
shim is codenamed "Comet".

Unlike Vixen, Comet requires modifications to the toolstack and host
hypervisor.

Note that both of these shim-based approaches prevent attacks on the
host, but leave the guest vulnerable to Meltdown attacks by its own
unprivileged processes; this is true even if the guest OS has KPTI or
similar Meltdown mitigation.

At the moment, only 4.10 is available.  We hope to have 4.8 and 4.9 in
the coming few days.

What you will need
------------------

 * You will need the xen.git with the following tags:
  - For 4.10: 4.10.0-shim-comet-1

Build instructions: 4.10
------------------------

1. Build a 4.10+ system
    git clone git://xenbits.xenproject.org/xen.git xen.git
    cd xen.git
    git checkout 4.10.0-shim-comet-1.1

Do a build and install as normal.  The shim will be built as part of the
normal build process, and placed with other 'system' binaries where the
toostack knows how to find it.

Usage instructions
------------------

* Converting a PV config to a PVH shim config

- Remove any reference to 'builder' (e.g., `builder="generic"`)
- Add the following two lines:
  type="pvh"
  pvshim=1

* Converting a PV config to a PVH config

If you have a kernel capable of booting PVH, then PVH mode is both
faster and more secure than PV or PVH-shim mode.

- Remove any reference to 'builder' (e.g., `builder="generic"`)
- Add the following line:
  type="pvh"