[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v2] x86/hvm: Allow the guest to permit the use of userspace hypercalls



On 11/01/16 17:11, Konrad Rzeszutek Wilk wrote:
> On Mon, Jan 11, 2016 at 04:51:19PM +0000, Andrew Cooper wrote:
>> Currently, hypercalls issued from HVM userspace will unconditionally fail 
>> with
>> -EPERM.
>>
>> This is inflexible, and a guest may wish to allow userspace to make
>> hypercalls.
>>
>> Introduce HVMOP_set_hypercall_dpl which allows the guest to alter the
>> permissions check for hypercalls.  It behaves exactly like the dpl field for
>> GDT/LDT/IDT entries.
>
> Could you explain a bit of the use-case?

My specific usecase,
http://xenbits.xen.org/gitweb/?p=people/andrewcoop/xen-test-framework.git;a=shortlog;h=refs/heads/wip-traps-v0.1

It isn't quite ready for formal release yet.

> As in why the ioctl via the kernel is no good?

Who says Linux is running?

Hopefully answered in
http://lists.xenproject.org/archives/html/xen-devel/2016-01/msg01155.html

>
>> As the dpl is initialised to 0, hypercalls are restricted to cpl0 code until
>> the OS explicitly chooses an alternative.
> <scratchis his head> So we enable to make hypercalls but then we don't allow
> it unless it is in ring 0?

Correct.  Hypercalls are by default limited to cpl0 (i.e. the existing
behaviour), but guests can use this new hypercall to change the
permission check.

Naturally, you have to be sufficiently privileged to make this hypercall
in the first place, so only the kernel may opt to relax the check.

~Andrew

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.