From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] x86/hvm: Allow the guest to permit the use
 of userspace hypercalls
Date: Mon, 11 Jan 2016 18:50:05 +0000
Message-ID: <5693F95D.4090800@citrix.com>
References: <1452520774-16794-1-git-send-email-andrew.cooper3@citrix.com>
	<5693CDE302000078000C5788@prv-mh.provo.novell.com>
	<5693E3BD.6070009@citrix.com> <5693F3B9.5060407@citrix.com>
	<5693F531.9000004@citrix.com> <5693F702.5040709@citrix.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <5693F702.5040709@citrix.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: David Vrabel <david.vrabel@citrix.com>, Jan Beulich <JBeulich@suse.com>
Cc: StefanoStabellini <stefano.stabellini@citrix.com>, Ian Campbell <ian.campbell@citrix.com>, Xen-devel <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On 11/01/16 18:40, David Vrabel wrote:
> On 11/01/16 18:32, Andrew Cooper wrote:
>> On 11/01/16 18:26, David Vrabel wrote:
>>> On 11/01/16 17:17, Andrew Cooper wrote:
>>>> So from one point of view, sufficient justification for this change is
>>>> "because the Linux way isn't the only valid way to do this".
>>> "Because we can" isn't a good justification for adding something new.
>> "Because I need this to sensibly regression test bits of the hypervisor"=
 is.
> No.  Tests should not require a magic mode -- they should test the
> existing ABIs guests actually use.

It isn't a magic mode.

>
>>> Particularly something that is trivially easy to (accidentally) misuse
>>> and open a big security hole between userspace and kernel.
>> This is no conceptual difference to incorrectly updating a pagetable, or
>> having wrong dpl checks in the IDT.
> Yes there is.  This proposed ABI addition is impossible to use safely.

It is perfectly possible to use safely.  "Safe" is a matter of
perspective, and depends on the usecase.  My entire argument here is
that "The Linux way" isn=92t the only way, and it is wrong of Xen to
enforce "the Linux way" as the only way.

>
>> An OS which doesn't use the hypercall can't shoot itself.  An OS which
>> does use it has plenty of other ways to accidentally compromise itself.
> This ABI allows /untrusted userspace/ to shoot the whole OS in the foot.
>  It's quite different.

Only if the OS chooses to permit this.  If an OS doesn't want itself to
be shot, it doesn't use this hypercall and everything works as before.

~Andrew