Re: [PATCH 5/6] tools/libxl: Allow dom0 to be destroyed

[Daniel De Graaf <dgdegra@tycho.nsa.gov>]

On 03/10/2014 12:45 PM, Ian Jackson wrote:
> Daniel De Graaf writes ("Re: [PATCH 5/6] tools/libxl: Allow dom0 to be destroyed"):
>> In reply to both this and Jan's earlier email:
>>> So this gets deleted without replacement? How is the hardware
>>> domain being protected from (accidental or malicious) deletion
>>> then? Even if this is being dealt with in the hypervisor, I'd be
>>> afraid of the failure resulting in a cryptic error message instead
>>> of the very clear one above.
>>
>> The existing check seems to be a useful guard against accidentally
>> breaking parts of a running system.  Would requiring a -f flag on the
>> destroy operation to work on domain 0 be preferable?
>
> That would be tolerable if we can't find a better way to tell whether
> it's safe or not.
>
> I guess you don't want dom0 to be able to destroy itself - or do you ?
> Perhaps the right answer is to require -f for a domain to destroy
> itself.
>
> ian.

A domain can't destroy itself anyway (the hypervisor prevents this), so
if there was a simple way for xl to check if the domain ID was its own
ID, this would work.  I am not aware of a good, simple way to make this
check, so leaving it at preventing dom0's destruction will at least not
regress in usability.

-- 
Daniel De Graaf
National Security Agency