[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HVM/PVH Balloon crash

  • To: Elliott Mitchell <ehem+xen@xxxxxxx>
  • From: Jan Beulich <jbeulich@xxxxxxxx>
  • Date: Thu, 7 Oct 2021 09:20:45 +0200
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=byc+tgw1tLGHxbylyZSxzsls1fSUa2vD/hgJzfCpBLo=; b=f0X2z3vrWNhuQ/65AWOHmk5jBOAy+QG8zo3+Dc4E4t0cX70KnYH+oP4jDjeyRG8m5crTPGjXKskUKQHsjJ+eFQc6pRSxmlufAga5PU2TrtPEZBBfRxgfDV4igAjh3OmbLHiPe7aV0z8EVLB90fCvA2GRJifYzn392FECIEi+yVt9XAn81+16+SQddxdQrNTftFNJpUqiPpIQGrfDSKttX9NiMOdpooLcx4XNFIcQpM92WVilAb3euiYIi3XPscEmjPBO/NwwAB29v8L7HE2gxTWCUg7ZR7y2Db25Z4hyXIzoDNSZYv5E/fZOfTt/gh9iI/FBch6i2xC2EbI+0lal1w==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Lhunqay0bOLQdzF2lXGFBIV0f2FkweUcobjJ+dLaP/Lx0Siz0JaToOi57zN7RApat0ODFpdX88Stw9iov2DF1SWWHXjSrPZdkiFlDtcO1/tV/CO00VnV+++Q+2/GRyLx8sRicQN2LioNsUU+hwz4l/EayBqx3IEdRy42J5SNjcLXlDFEsZdkRjRF4AFvR3DpKiziHHTMYikOC/mdsNIcbAQDNXEaElRg9DMD6ShBAhAYld9sz7lj7/+ek/1TOSeAWi+TWLGAQU0Nyi3wGbMWgbRI6jR3GE//xBbBZwyTlOKZbrxrqS0X3QXB3DtI+9YVSADz8zToXuCdbgqCyBhFmA==
  • Authentication-results: lists.xenproject.org; dkim=none (message not signed) header.d=none;lists.xenproject.org; dmarc=none action=none header.from=suse.com;
  • Cc: xen-devel@xxxxxxxxxxxxxxxxxxxx
  • Delivery-date: Thu, 07 Oct 2021 07:20:51 +0000
  • List-id: Xen developer discussion <xen-devel.lists.xenproject.org>
On 02.10.2021 04:35, Elliott Mitchell wrote:
> On Thu, Sep 30, 2021 at 09:08:34AM +0200, Jan Beulich wrote:
>> On 29.09.2021 17:31, Elliott Mitchell wrote:
>>>
>>> Copy and paste from the xl.cfg man page:
>>>
>>>        nestedhvm=BOOLEAN
>>>            Enable or disables guest access to hardware virtualisation
>>>            features, e.g. it allows a guest Operating System to also 
>>> function
>>>            as a hypervisor. You may want this option if you want to run
>>>            another hypervisor (including another copy of Xen) within a Xen
>>>            guest or to support a guest Operating System which uses hardware
>>>            virtualisation extensions (e.g. Windows XP compatibility mode on
>>>            more modern Windows OS).  This option is disabled by default.
>>>
>>> "This option is disabled by default." doesn't mean "this is an
>>> experimental feature with no security support and is likely to crash the
>>> hypervisor".
>>
>> Correct, but this isn't the only place to look at. Quoting
>> SUPPORT.md:
> 
> You expect everyone to memorize SUPPORT.md (almost 1000 lines) before
> trying to use Xen?

I don't see why you say "memorize". When the file was introduced, it was
(aiui) indeed the intention for _it_ to become the main reference. Feel
free to propose alternatives.

> Your statement amounts to saying you really expect that.  People who want
> to get work done will look at `man xl.cfg` when needed, and follow
> instructions.
> 
> Mentioning something in `man xl.cfg` amounts to a statment "this is
> supported".  Experimental/unsupported options need to be marked
> "EXPERIMENTAL: DO NOT ENABLE IN PRODUCTION ENVIRONMENTS".
> 
> 
>> Yet that's still a configuration error (of the guest), not a bug in
>> Xen.
> 
> Documentation that poor amounts to a security vulnerability.

I disagree.

> I would suggest this needs 2 extra enablers.
> 
> First, this has potential to panic the hypervisor.  As such there needs
> to be an "enable_experimental=" option for the Xen command-line.  The
> argument would be a list of features to enable ("nestedhvm" for this
> case).  If this is absent, the hypervisor should ideally disable as much
> of the code related to the unsupported/experimental features as possible.
> 
> Second, since this needs to be enabled per-domain, there should be a
> similar "enable_experimental" setting for xl.cfg options.
> 
> 
> 
> I think this really is bad enough to warrant a security vulnerability
> and updates to all branches.

As above, I don't think I agree. But please feel free to propose patches.

What I'm personally more curious about is whether the patch I did send
you actually made a difference.

Jan

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.