[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH] x86/hvm: Allow the guest to permit the use of userspace hypercalls

On 11/01/16 18:32, Andrew Cooper wrote:
> On 11/01/16 18:26, David Vrabel wrote:
>> On 11/01/16 17:17, Andrew Cooper wrote:
>>> So from one point of view, sufficient justification for this change is
>>> "because the Linux way isn't the only valid way to do this".
>> "Because we can" isn't a good justification for adding something new.
> "Because I need this to sensibly regression test bits of the hypervisor" is.

No.  Tests should not require a magic mode -- they should test the
existing ABIs guests actually use.

>> Particularly something that is trivially easy to (accidentally) misuse
>> and open a big security hole between userspace and kernel.
> This is no conceptual difference to incorrectly updating a pagetable, or
> having wrong dpl checks in the IDT.

Yes there is.  This proposed ABI addition is impossible to use safely.

> An OS which doesn't use the hypercall can't shoot itself.  An OS which
> does use it has plenty of other ways to accidentally compromise itself.

This ABI allows /untrusted userspace/ to shoot the whole OS in the foot.
 It's quite different.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.