Re: [Xen-devel] Ping#2: Re: [PATCH 2/2] x86: don't allow clearing of TF_kernel_mode for other than 64-bit PV

["Jan Beulich" <JBeulich@xxxxxxxx>]

>>> On 04.12.17 at 16:11, <andrew.cooper3@xxxxxxxxxx> wrote:
> On 04/12/17 10:15, Jan Beulich wrote:
>>>>> On 03.07.17 at 16:56,  wrote:
>>>>>> On 31.05.17 at 13:54,  wrote:
>>>>>>> On 31.05.17 at 13:08, <andrew.cooper3@xxxxxxxxxx> wrote:
>>>>> On 31/05/17 08:15, Jan Beulich wrote:
>>>>>> The flag is really only meant for those, both HVM and 32-bit PV tell
>>>>>> kernel from user mode based on CPL/RPL. Remove the all-question-marks
>>>>>> comment and let's be on the safe side here and also suppress clearing
>>>>>> for 32-bit PV (this isn't a fast path after all).
>>>>>>
>>>>>> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>
>>>>> Wouldn't it just be safer to disallow starting a 64bit PV guest in user
>>>>> mode?
>>>>>
>>>>> No real kernel would do such a thing, and keeping the corner case around
>>>>> is bad from an attack-surface point of view.
>>>> If it really was "starting a guest", I would probably agree. But we're
>>>> talking about starting a vCPU, and I could see uses for this (not the
>>>> least in XTF). After all the operation allows for enough state to be
>>>> set up such that further initialization inside the guest may not be
>>>> necessary.
>>> Any opinion here, or change of opinion on the original patch?
>> I'd really like to get this off my list.
> 
> My opinion is unchanged.  This isn't a useful piece of functionality,
> and it definitely doesn't warrant the attack surface it brings.

Very strange - you therefore prefer the current, even more
permissive code over the one the patch switches to just because
you think it should be even more tight (which I gave reasons why
I disagree with, and which then you would also be free to submit
a patch to further adjust, with suitable justification)?

Jan


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel