Xen project Mailing List

Re: [CRITICAL for 4.18] Re: [PATCH v5 00/10] runstate/time area registration by (guest) physical address

To: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Mon, 16 Oct 2023 12:04:55 +0200

Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none

Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=X8nJcolPsRnkQBhfl8OlvP6KhoU+y2+T/M5M7rwXCP4=; b=RNe+En7BKHHuoi0QwJOx7Q/kjymrhgNHn/5Gn6zS+LoSJ9YuJG8CzIp48gVxxeGxL07e+boOWCk4uqIytv2S2zN6yhvnap9GMtE6Ig2jkPw3HyPrnho1Qy8FNMATO0vCBEmREVGWnkMH2UzZfW3Eume3405p8RVuzOZGZLxZ5gKGM6QrXfIm1xLghLlCTxV11kGmmw0xwunHCW0aKBC6kjxUN7ekoQeUqK0DXd3VtWDQN8Uj7UgriUAD4vKRja52r7TDKYvXlPZQ0jTEj5tITChTxMxJCBQyDOvN0IvXrG9hIUDU4CUugAQML4Pdl681j/D92UigxjPQtwezDZ5jew==

Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FvvZVp8LKyy3Ub4YRH9pEpKH0b+usM4sTObXXWW/2IxSvdiRfvAvoYrn5EUEBDA8SBYQI3hM6GROpRkP3t/AJJaTdzLWjmpQ/poDQkWVFpd47YnFPV7zFLEYgbY2MswrQW1uBywxiGmSv0iBFKsXp+xjI0iLfHvPzX0dLiRMn3I6VYfHRU9m88WLO7d9pKnNnboWks6w0GQ8FGfses1ZIirz0oaKEcNZVHUjVNOrZRrXSkiOgBZo2nyRsrxNMv8P98S025riVQvECaXXtX0iInqpexPZH34yJto3umOW18fRNfujMfo1VgBabidMdyAPslSQ9n4amMA8QjxxDWMX6w==

Authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com;

Cc: Tamas K Lengyel <tamas@xxxxxxxxxxxxx>, George Dunlap <george.dunlap@xxxxxxxxxx>, Wei Liu <wl@xxxxxxx>, Julien Grall <julien@xxxxxxx>, Stefano Stabellini <sstabellini@xxxxxxxxxx>, Roger Pau Monne <roger.pau@xxxxxxxxxx>, xen-devel@xxxxxxxxxxxxxxxxxxxx, henry.wang@xxxxxxx

Delivery-date: Mon, 16 Oct 2023 10:05:15 +0000

List-id: Xen developer discussion <xen-devel.lists.xenproject.org>

On 05.10.2023 20:58, Andrew Cooper wrote: > I see this series has been committed. But it's broken in a really > fundamental way. > > > This is a new extension with persistent side effects to an existing part > of the guest ABI. > > Yet there doesn't appear to be any enumeration that the interface is > available to begin with. Requiring the guest to probe subops, and > having no way to disable it on a per-domain basis is unacceptable, and > has exploded on us more times than I care to count in security fixes > alone, and that doesn't even cover the issues Amazon have reported over > the years. This has never been a requirement. Plus you had ample time to raise such a request. > Henry: Blocker for 4.18. The absolutely bare minimum necessary to > avoid reversion is some kind of positive enumeration that the two new > hypercalls are available. I disagree; to me this is a nice-to-have, not a requirement. > Otherwise I will be #if 0'ing out the new hypercalls before this ABI > mistake gets set in stone. > > > If this were x86-only it would need to be a CPUID flag, but it will need > to be something arch-agnostic in this case. The series should not have > come without a proper per-domain control and toolstack integration, but > everything else can be retrofitted in an emergency. To be honest, had it been clear that you expect a per-domain control, I probably would not have taken on this piece of work. > And on a related note, where is the documentation describing this new > feature? Some tests perhaps, or any single implementation of the guest > side interface? Documentation is as for sibling interfaces - as much or as little as we have in the public headers. I did test all of this with XTF, but I've pretty much given up posting XTF patches, seeing how even XSA tests and alike never made it anywhere. Jan

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.