[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH v3 2/2] xsm: hide detailed Xen version from unprivileged guests



On 22.01.2020 13:05, Julien Grall wrote:
> Hi George,
> 
> On 22/01/2020 10:57, George Dunlap wrote:
>> On 1/22/20 10:14 AM, Julien Grall wrote:
>>>
>>>
>>> On 22/01/2020 10:01, Sergey Dyasli wrote:
>>>> On 20/01/2020 10:01, Jan Beulich wrote:
>>>>> On 17.01.2020 17:44, Sergey Dyasli wrote:
>>>>>> v2 --> v3:
>>>>>> - Remove hvmloader filtering
>>>>>
>>>>> Why? Seeing the prior discussion, how about adding XENVER_denied to
>>>>> return the "denied" string, allowing components which want to filter
>>>>> to know exactly what to look for? And then re-add the filtering you
>>>>> had? (The help text of the config option should then perhaps be
>>>>> extended to make very clear that the chosen string should not match
>>>>> anything that could potentially be returned by any of the XENVER_
>>>>> sub-ops.)
>>>>
>>>> I had the following reasoning:
>>>>
>>>> 1. Most real-world users would set CONFIG_XSM_DENIED_STRING="" anyway.
>>>>
>>>> 2. Filtering in DMI tables is not a complete solution, since denied
>>>> string leaks elsewhere through the hypercall (PV guests, sysfs, driver
>>>> logs) as Andrew has pointed out in the previous discussion.
>>>>
>>>> On the other hand, SMBios filtering slightly improves the situation for
>>>> HVM domains, so I can return it if maintainers find it worthy.
>>>
>>> While I am not a maintainer of this code, my concern is you impose the
>>> conversion from "denied" to "" to all the users (include those who wants
>>> to keep "denied").
>>>
>>> If you were doing any filtering in hvmloader, then it would be best if
>>> this is configurable. But this is a bit pointless if you already allow
>>> the user to configure the string at the hypervisor level :).
>>
>> So there are two things we're concerned about:
>> - Some people don't want to scare users with a "<denied>" string
>> - Some people don't want to "silently fail" with a "" string
>>
>> The fact is, in *both cases*, this is a UI problem.  EVERY caller of
>> this interface should figure out independently what a graceful way of
>> handling failure is for their target UI.  Any caller who does not think
>> carefully about what to do in the failure case is buggy -- which
>> includes every single caller today.  The CONFIG_XSM_DENIED_STRING is a
>> gross hack fallback for buggy UIs.
> 
> I agree that the two cases you explained are UI problems. However, I can 
> see other use for the Kconfig option (with some tweaks).
> 
> At AWS, consistency accross two stable versions is very important. So 
> most of the version strings exposed to the guest are fixed. Therefore a 
> guest can be migrated seemlessly between two different versions without 
> seen any change that may break it.

A guest aware of being run on a hypervisor would also be aware
that it may be migrated, and hence that the version of the
underlying hypervisor may change (if it cares about versions
in the first place). A guest unaware of being run on a
hypervisor wouldn't care about version and alike strings at all.
Nevertheless I'm sure you play this game for a (real world)
reason, e.g. people making wrong assumptions. But is this
something you really think the upstream hypervisor should be
made care about?

Jan

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.