From: Andrew Cooper <andrew.cooper3@citrix.com>
To: Roger Pau Monne <roger.pau@citrix.com>,
xen-devel@lists.xenproject.org, henry.wang@arm.com
Cc: Tamas K Lengyel <tamas@tklengyel.com>,
Jan Beulich <jbeulich@suse.com>,
George Dunlap <george.dunlap@citrix.com>, Wei Liu <wl@xen.org>,
Julien Grall <julien@xen.org>,
Stefano Stabellini <sstabellini@kernel.org>
Subject: [CRITICAL for 4.18] Re: [PATCH v5 00/10] runstate/time area registration by (guest) physical address
Date: Thu, 5 Oct 2023 19:58:50 +0100 [thread overview]
Message-ID: <ff8994eb-968d-4bbb-a960-e5ca78ef658e@citrix.com> (raw)
In-Reply-To: <20231002151127.71020-1-roger.pau@citrix.com>
I see this series has been committed. But it's broken in a really
fundamental way.
This is a new extension with persistent side effects to an existing part
of the guest ABI.
Yet there doesn't appear to be any enumeration that the interface is
available to begin with. Requiring the guest to probe subops, and
having no way to disable it on a per-domain basis is unacceptable, and
has exploded on us more times than I care to count in security fixes
alone, and that doesn't even cover the issues Amazon have reported over
the years.
Henry: Blocker for 4.18. The absolutely bare minimum necessary to
avoid reversion is some kind of positive enumeration that the two new
hypercalls are available.
Otherwise I will be #if 0'ing out the new hypercalls before this ABI
mistake gets set in stone.
If this were x86-only it would need to be a CPUID flag, but it will need
to be something arch-agnostic in this case. The series should not have
come without a proper per-domain control and toolstack integration, but
everything else can be retrofitted in an emergency.
And on a related note, where is the documentation describing this new
feature? Some tests perhaps, or any single implementation of the guest
side interface?
This is engineering principles so basic that they do go without saying.
~Andrew
next prev parent reply other threads:[~2023-10-05 18:59 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-02 15:11 [PATCH v5 00/10] runstate/time area registration by (guest) physical address Roger Pau Monne
2023-10-02 15:11 ` [PATCH v5 01/10] mem_sharing/fork: do not attempt to populate vcpu_info page Roger Pau Monne
[not found] ` <CABfawhm2XMmfyx7vZvGdLZcot3=Mrrx3T5nS3vUR+Ur9j5mkWg@mail.gmail.com>
2023-10-03 7:15 ` Roger Pau Monné
2023-10-05 12:10 ` Julien Grall
2023-10-05 12:42 ` George Dunlap
2023-10-05 12:47 ` Julien Grall
[not found] ` <CABfawhmyP_y38002v=v1G2p66ZamhGKrj=0Jm1H_-c_j9VQG8Q@mail.gmail.com>
2023-10-05 12:42 ` Roger Pau Monné
2023-10-05 13:15 ` Tamas K Lengyel
2023-10-02 15:11 ` [PATCH v5 02/10] x86/shim: zap runstate and time area handles during shutdown Roger Pau Monne
2023-10-02 15:11 ` [PATCH v5 03/10] domain: GADDR based shared guest area registration alternative - teardown Roger Pau Monne
2023-10-02 15:11 ` [PATCH v5 04/10] domain: update GADDR based runstate guest area Roger Pau Monne
2023-10-02 15:11 ` [PATCH v5 05/10] x86: update GADDR based secondary time area Roger Pau Monne
2023-10-02 15:11 ` [PATCH v5 06/10] x86/mem-sharing: copy GADDR based shared guest areas Roger Pau Monne
[not found] ` <CABfawhnHg3KrGP-hp4_Q8GvSf2nVSVSyK24HKqAGuWp_AtD8-A@mail.gmail.com>
2023-10-03 14:29 ` Roger Pau Monné
2023-10-03 15:07 ` Julien Grall
2023-10-03 20:25 ` Tamas K Lengyel
2023-10-04 8:20 ` Roger Pau Monné
2023-10-04 11:01 ` Julien Grall
2023-10-04 13:00 ` Roger Pau Monné
2023-10-04 13:06 ` Julien Grall
2023-10-04 13:53 ` [PATCH v6 " Roger Pau Monne
2023-10-04 21:36 ` Tamas K Lengyel
2023-10-16 9:55 ` Jan Beulich
2023-10-16 10:59 ` Roger Pau Monné
2023-10-02 15:11 ` [PATCH v5 07/10] domain: map/unmap " Roger Pau Monne
2023-10-02 16:40 ` Julien Grall
2023-10-02 15:11 ` [PATCH v5 08/10] domain: introduce GADDR based runstate area registration alternative Roger Pau Monne
2023-10-02 16:43 ` Julien Grall
2023-10-02 15:11 ` [PATCH v5 09/10] x86: introduce GADDR based secondary time " Roger Pau Monne
2023-10-02 16:44 ` Julien Grall
2023-10-02 15:11 ` [PATCH v5 10/10] common: convert vCPU info area registration Roger Pau Monne
2023-10-04 17:15 ` Julien Grall
2023-10-05 1:27 ` [PATCH v5 00/10] runstate/time area registration by (guest) physical address Henry Wang
2023-10-05 13:12 ` Julien Grall
2023-10-05 18:58 ` Andrew Cooper [this message]
2023-10-05 22:40 ` [CRITICAL for 4.18] " Julien Grall
2023-10-05 22:43 ` Julien Grall
2023-10-06 8:00 ` Roger Pau Monné
2023-10-06 8:22 ` Roger Pau Monné
2023-10-06 10:21 ` Andrew Cooper
2023-10-16 10:04 ` Jan Beulich
2023-10-16 10:07 ` Jan Beulich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ff8994eb-968d-4bbb-a960-e5ca78ef658e@citrix.com \
--to=andrew.cooper3@citrix.com \
--cc=george.dunlap@citrix.com \
--cc=henry.wang@arm.com \
--cc=jbeulich@suse.com \
--cc=julien@xen.org \
--cc=roger.pau@citrix.com \
--cc=sstabellini@kernel.org \
--cc=tamas@tklengyel.com \
--cc=wl@xen.org \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.