From: Alejandro Vallejo <alejandro.garciavallejo@amd.com>
To: Alejandro Vallejo <alejandro.garciavallejo@amd.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Xen-devel <xen-devel@lists.xenproject.org>
Cc: "Jan Beulich" <JBeulich@suse.com>,
"Roger Pau Monné" <roger.pau@citrix.com>,
Xen-devel <xen-devel-bounces@lists.xenproject.org>
Subject: Re: [PATCH] x86/hvm: Unilaterally inject #UD for unknown VMExits
Date: Mon, 1 Dec 2025 17:02:33 +0100 [thread overview]
Message-ID: <DEN090BAVOTH.2S8BW9I0HVMP8@amd.com> (raw)
In-Reply-To: <DEMYRBFJE6YM.1I0BH2BFD5H72@amd.com>
On Mon Dec 1, 2025 at 3:52 PM CET, Alejandro Vallejo wrote:
> On Fri Nov 28, 2025 at 6:47 PM CET, Andrew Cooper wrote:
>> While we do this for unknown user mode exits, crashing for supervisor mode
>> exits is unhelpful. Intel in particular expect the unknown case to be #UD
>> because they do introduce new instructions with new VMEXIT_* codes without
>> other enablement controls. e.g. MSRLIST, USER_MSR, MSR_IMM, but AMD have
>> RDPRU and SKINIT as examples too.
>
> I don't know how often Intel adds intercepts (or whatever the VMX equivalent is)
> without default-off knobs, but there's a potentially dangerous assumption here
> about all intercepts being synchronous with the executed instruction. Some might
> depend on other events (i.e: NMIs, IRQs, IPIs, etc) and injecting #UD in those
> cases would be very insecure for the guest. It might encourage the kernel to
> interpret the current instruction that the kernel can't know wasn't meant to
> ever trigger #UD. This would be an integrity-compromising mistake to make.
>
> IOW, I think this is a dangerous default to have and Xen should just crash the
> domain irrespective of CPL. At least on SVM. If a guest executes SKINIT and it
> doesn't exist
... and it doesn't exist, it's fine for a guest to crash. The domain crashing is
a Xen bug, but the bug triggering is a guest bug. And that's ok.
Sorry, those linnes got lost.
Cheers,
Alejandro
prev parent reply other threads:[~2025-12-01 16:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-28 17:47 [PATCH] x86/hvm: Unilaterally inject #UD for unknown VMExits Andrew Cooper
2025-12-01 9:02 ` Jan Beulich
2025-12-01 16:36 ` Andrew Cooper
2025-12-02 8:33 ` Jan Beulich
2025-12-02 13:16 ` Andrew Cooper
2025-12-01 14:52 ` Alejandro Vallejo
2025-12-01 16:02 ` Alejandro Vallejo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DEN090BAVOTH.2S8BW9I0HVMP8@amd.com \
--to=alejandro.garciavallejo@amd.com \
--cc=JBeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=roger.pau@citrix.com \
--cc=xen-devel-bounces@lists.xenproject.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.