From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Vrabel Subject: Re: [PATCH] x86/hvm: Allow the guest to permit the use of userspace hypercalls Date: Mon, 11 Jan 2016 18:40:02 +0000 Message-ID: <5693F702.5040709@citrix.com> References: <1452520774-16794-1-git-send-email-andrew.cooper3@citrix.com> <5693CDE302000078000C5788@prv-mh.provo.novell.com> <5693E3BD.6070009@citrix.com> <5693F3B9.5060407@citrix.com> <5693F531.9000004@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5693F531.9000004@citrix.com> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xen.org Errors-To: xen-devel-bounces@lists.xen.org To: Andrew Cooper , Jan Beulich Cc: StefanoStabellini , Ian Campbell , Xen-devel List-Id: xen-devel@lists.xenproject.org On 11/01/16 18:32, Andrew Cooper wrote: > On 11/01/16 18:26, David Vrabel wrote: >> On 11/01/16 17:17, Andrew Cooper wrote: >>> So from one point of view, sufficient justification for this change is >>> "because the Linux way isn't the only valid way to do this". >> "Because we can" isn't a good justification for adding something new. > > "Because I need this to sensibly regression test bits of the hypervisor" is. No. Tests should not require a magic mode -- they should test the existing ABIs guests actually use. >> Particularly something that is trivially easy to (accidentally) misuse >> and open a big security hole between userspace and kernel. > > This is no conceptual difference to incorrectly updating a pagetable, or > having wrong dpl checks in the IDT. Yes there is. This proposed ABI addition is impossible to use safely. > An OS which doesn't use the hypercall can't shoot itself. An OS which > does use it has plenty of other ways to accidentally compromise itself. This ABI allows /untrusted userspace/ to shoot the whole OS in the foot. It's quite different. David