From: Don Slutz <dslutz@verizon.com>
To: Tim Deegan <tim@xen.org>, Don Slutz <dslutz@verizon.com>
Cc: Jun Nakajima <jun.nakajima@intel.com>,
Kevin Tian <kevin.tian@intel.com>, Keir Fraser <keir@xen.org>,
Ian Campbell <Ian.Campbell@citrix.com>,
Stefano Stabellini <stefano.stabellini@eu.citrix.com>,
George Dunlap <george.dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Eddie Dong <eddie.dong@intel.com>,
xen-devel@lists.xen.org,
AravindGopalakrishnan <Aravind.Gopalakrishnan@amd.com>,
Jan Beulich <JBeulich@suse.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
Boris Ostrovsky <boris.ostrovsky@oracle.com>,
Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Subject: Re: [PATCH for-4.5 v6 00/16] Xen VMware tools support
Date: Thu, 02 Oct 2014 15:20:15 -0400 [thread overview]
Message-ID: <542DA56F.8050400@terremark.com> (raw)
In-Reply-To: <20141002100507.GB43394@deinos.phlegethon.org>
On 10/02/14 06:05, Tim Deegan wrote:
> At 16:00 -0400 on 26 Sep (1411743641), Don Slutz wrote:
>> On 09/25/14 06:37, Tim Deegan wrote:
>>> At 17:18 +0100 on 22 Sep (1411402700), Jan Beulich wrote:
>>>>>>> On 22.09.14 at 17:38, <george.dunlap@eu.citrix.com> wrote:
>>>> That's indeed what was said so far. I wonder though whether opening
>>>> this up without guest OS consent isn't gong to introduce a security
>>>> issue inside the guest (depending on the exact functionality of these
>>>> hypercalls).
>>> Yes indeed. VMware seems to have CPL checks on some of the commands
>>> (but not all). I guess Xen will be no worse than VMware if we do the
>>> same, though I'd like to have an official spec to follow for that.
>> Yes, VMware has CPL checks on some of the commands. Not at all
>> clear the include file has the correct statement. I have not do any
>> checking of CPL nor does QEMU.
> That needs to be fixed somewhere. If Xen/Qemu is going to provide
> this interface it _must_ copy the privilege checks, even if we don't
> understand why they're there -- in fact, _especially_ if we don't
> understand why they're there! :)
>
> If the third-party header file isn't a reliable source, you'll have to
> determine the correct behaviour by experiment.
I have done this. Will be adding the check.
>> I could look into doing this, but with the xl.cfg flag vmware_port=0
>> turns this all off, I do not see any need for CPL checking.
> I strongly disagree with this. If our implementation of this
> interface makes guest OSes less secure than they would be under actual
> VMware then the config option is irrelevant.
Ok.
-Don Slutz
> Cheers,
>
> Tim.
next prev parent reply other threads:[~2014-10-02 19:20 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-20 18:07 [PATCH for-4.5 v6 00/16] Xen VMware tools support Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 01/16] xen: Add support for VMware cpuid leaves Don Slutz
2014-09-22 11:49 ` Andrew Cooper
2014-09-22 16:53 ` Don Slutz
2014-09-24 14:33 ` George Dunlap
2014-09-20 18:07 ` [PATCH for-4.5 v6 02/16] tools: Add vmware_hw support Don Slutz
2014-09-22 13:34 ` Ian Campbell
2014-09-22 22:08 ` Don Slutz
2014-09-24 14:44 ` George Dunlap
2014-09-24 21:06 ` Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 03/16] vmware: Add VMware provided include files Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 04/16] xen: Add vmware_port support Don Slutz
2014-09-23 17:16 ` Boris Ostrovsky
2014-09-24 8:28 ` Jan Beulich
2014-09-26 19:09 ` Don Slutz
2014-09-24 16:01 ` George Dunlap
2014-09-24 16:48 ` Don Slutz
2014-09-24 17:42 ` Andrew Cooper
2014-09-20 18:07 ` [PATCH for-4.5 v6 05/16] tools: " Don Slutz
2014-09-22 13:41 ` Ian Campbell
2014-09-22 16:34 ` Andrew Cooper
2014-09-22 21:22 ` Don Slutz
2014-09-24 16:24 ` George Dunlap
2014-09-24 18:25 ` Don Slutz
2014-09-22 16:42 ` Don Slutz
2014-09-23 12:20 ` Ian Campbell
2014-09-24 16:31 ` Don Slutz
2014-09-24 16:44 ` George Dunlap
2014-09-24 18:29 ` Don Slutz
2014-09-25 11:24 ` Ian Campbell
2014-09-25 14:17 ` George Dunlap
2014-09-25 14:21 ` Ian Campbell
2014-09-26 19:19 ` Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 06/16] xen: Convert vmware_port to xentrace usage Don Slutz
2014-09-24 17:27 ` George Dunlap
2014-09-24 19:07 ` Don Slutz
2014-09-25 15:14 ` George Dunlap
2014-09-29 18:10 ` Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 07/16] tools: " Don Slutz
2014-09-25 15:18 ` George Dunlap
2014-09-20 18:07 ` [PATCH for-4.5 v6 08/16] xen: Add limited support of VMware's hyper-call rpc Don Slutz
2014-09-22 13:47 ` Ian Campbell
2014-09-22 21:18 ` Don Slutz
2014-09-23 12:34 ` Ian Campbell
2014-09-23 22:03 ` Slutz, Donald Christopher
2014-09-25 16:28 ` George Dunlap
2014-09-20 18:07 ` [PATCH for-4.5 v6 09/16] tools: " Don Slutz
2014-09-22 13:52 ` Ian Campbell
2014-09-22 21:32 ` Don Slutz
2014-09-23 12:35 ` Ian Campbell
2014-09-20 18:07 ` [PATCH for-4.5 v6 10/16] Add VMware tool's triggers Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 11/16] Add live migration of VMware's hyper-call RPC Don Slutz
2014-09-20 18:07 ` [PATCH for-4.5 v6 12/16] Add dump of HVM_SAVE_CODE(VMPORT) to xen-hvmctx Don Slutz
2014-09-20 18:07 ` [OPTIONAL][PATCH for-4.5 v6 13/16] Add xen-hvm-param Don Slutz
2014-09-20 18:07 ` [OPTIONAL][PATCH for-4.5 v6 14/16] Add xen-vmware-guestinfo Don Slutz
2014-09-20 18:07 ` [OPTIONAL][PATCH for-4.5 v6 15/16] Add xen-list-vmware-guestinfo Don Slutz
2014-09-20 18:07 ` [OPTIONAL][PATCH for-4.5 v6 16/16] Add xen-hvm-send-trigger Don Slutz
2014-09-22 13:56 ` [PATCH for-4.5 v6 00/16] Xen VMware tools support Ian Campbell
2014-09-22 15:19 ` George Dunlap
2014-09-22 15:34 ` Ian Campbell
2014-09-22 15:38 ` George Dunlap
2014-09-22 15:50 ` Ian Campbell
2014-09-22 15:55 ` George Dunlap
2014-09-22 17:19 ` Don Slutz
2014-09-22 22:00 ` Tian, Kevin
2014-09-23 12:30 ` Ian Campbell
2014-09-23 12:35 ` George Dunlap
2014-09-23 12:40 ` Ian Campbell
2014-09-24 15:52 ` George Dunlap
2014-09-24 18:09 ` Don Slutz
2014-09-24 17:19 ` Don Slutz
2014-09-24 20:21 ` Konrad Rzeszutek Wilk
2014-09-26 19:03 ` Don Slutz
2014-09-26 19:28 ` Konrad Rzeszutek Wilk
2014-09-25 11:35 ` Ian Campbell
2014-09-22 16:18 ` Jan Beulich
2014-09-22 18:32 ` Don Slutz
2014-09-25 10:37 ` Tim Deegan
2014-09-26 20:00 ` Don Slutz
2014-09-29 6:50 ` Jan Beulich
2014-09-29 13:27 ` George Dunlap
2014-09-29 13:49 ` Jan Beulich
2014-09-29 23:13 ` Don Slutz
2014-09-30 7:05 ` Jan Beulich
2014-09-30 10:02 ` George Dunlap
2014-09-30 22:11 ` Slutz, Donald Christopher
2014-09-30 10:09 ` George Dunlap
2014-09-30 22:23 ` Slutz, Donald Christopher
2014-10-02 10:05 ` Tim Deegan
2014-10-02 19:20 ` Don Slutz [this message]
2014-10-03 7:09 ` Tim Deegan
2014-09-22 15:52 ` Andrew Cooper
2014-09-22 18:39 ` Don Slutz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=542DA56F.8050400@terremark.com \
--to=dslutz@verizon.com \
--cc=Aravind.Gopalakrishnan@amd.com \
--cc=Ian.Campbell@citrix.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=boris.ostrovsky@oracle.com \
--cc=eddie.dong@intel.com \
--cc=george.dunlap@eu.citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=jun.nakajima@intel.com \
--cc=keir@xen.org \
--cc=kevin.tian@intel.com \
--cc=stefano.stabellini@eu.citrix.com \
--cc=suravee.suthikulpanit@amd.com \
--cc=tim@xen.org \
--cc=xen-devel@lists.xen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.