publication croisée depuis : https://lemmy.world/post/16156662
To be completely open, this is not a question about XCP-ng vs Proxmox. I’m open to doing everything in the cli, comparing two platforms is not my intention here.
I’m very interested in the security benefits one has over the other though. AFAIK Xen has a dedicated for security? I’d like to think that both are reasonably secure by default, but I do not get many hits for “KVM hardening”, for example, only OS-level hardening advice.
Do both protect equally against attacks that try to escape the VM? Is there anything in terms of security that one has and the other doesn’t?
I know this is not the usual kind of question that is asked on this sub, any help is greatly appreciated!
The biggest problem for paranoid virtualisation is that you need to disable the cores on those host, or other VMs will still be able to access memory if your CPU is affected by the next speculative execution bug. That goes for both KVM and Xen, as the problem lies within the hardware.
You’d lose half your threads. It’s not an exact 50% performance loss, but it’d definitely have a sizable impact.
Personally, I trust my CPU enough to work well as long as I install all the firmware updates and kernel patches, but speculative execution bugs have proven so common that I doubt they’ve all been discovered. If you’re afraid of getting exploited by bugs like these, disabling SMT seems to be the only effective preventative measure you can take (and even then there are potential security threads!)
Is there an estimate of the loss in performance that I’m looking at, at full load?