Re: HVM/PVH Balloon crash

From: Jan Beulich <jbeulich@suse.com>
To: Elliott Mitchell <ehem+xen@m5p.com>
Cc: xen-devel@lists.xenproject.org
Subject: Re: HVM/PVH Balloon crash
Date: Thu, 7 Oct 2021 09:20:45 +0200	[thread overview]
Message-ID: <4cb11d0c-8149-d248-583b-abd8fc103c1d@suse.com> (raw)
In-Reply-To: <YVfFZKRIPTYi/9bH@mattapan.m5p.com>

On 02.10.2021 04:35, Elliott Mitchell wrote:
> On Thu, Sep 30, 2021 at 09:08:34AM +0200, Jan Beulich wrote:
>> On 29.09.2021 17:31, Elliott Mitchell wrote:
>>>
>>> Copy and paste from the xl.cfg man page:
>>>
>>>        nestedhvm=BOOLEAN
>>>            Enable or disables guest access to hardware virtualisation
>>>            features, e.g. it allows a guest Operating System to also function
>>>            as a hypervisor. You may want this option if you want to run
>>>            another hypervisor (including another copy of Xen) within a Xen
>>>            guest or to support a guest Operating System which uses hardware
>>>            virtualisation extensions (e.g. Windows XP compatibility mode on
>>>            more modern Windows OS).  This option is disabled by default.
>>>
>>> "This option is disabled by default." doesn't mean "this is an
>>> experimental feature with no security support and is likely to crash the
>>> hypervisor".
>>
>> Correct, but this isn't the only place to look at. Quoting
>> SUPPORT.md:
> 
> You expect everyone to memorize SUPPORT.md (almost 1000 lines) before
> trying to use Xen?

I don't see why you say "memorize". When the file was introduced, it was
(aiui) indeed the intention for _it_ to become the main reference. Feel
free to propose alternatives.

> Your statement amounts to saying you really expect that.  People who want
> to get work done will look at `man xl.cfg` when needed, and follow
> instructions.
> 
> Mentioning something in `man xl.cfg` amounts to a statment "this is
> supported".  Experimental/unsupported options need to be marked
> "EXPERIMENTAL: DO NOT ENABLE IN PRODUCTION ENVIRONMENTS".
> 
> 
>> Yet that's still a configuration error (of the guest), not a bug in
>> Xen.
> 
> Documentation that poor amounts to a security vulnerability.

I disagree.

> I would suggest this needs 2 extra enablers.
> 
> First, this has potential to panic the hypervisor.  As such there needs
> to be an "enable_experimental=" option for the Xen command-line.  The
> argument would be a list of features to enable ("nestedhvm" for this
> case).  If this is absent, the hypervisor should ideally disable as much
> of the code related to the unsupported/experimental features as possible.
> 
> Second, since this needs to be enabled per-domain, there should be a
> similar "enable_experimental" setting for xl.cfg options.
> 
> 
> 
> I think this really is bad enough to warrant a security vulnerability
> and updates to all branches.

As above, I don't think I agree. But please feel free to propose patches.

What I'm personally more curious about is whether the patch I did send
you actually made a difference.

Jan