From mboxrd@z Thu Jan  1 00:00:00 1970
From: Andrew Cooper <andrew.cooper3@citrix.com>
Subject: Re: [PATCH] x86/hvm: Allow the guest to permit the use
 of userspace hypercalls
Date: Mon, 11 Jan 2016 17:17:49 +0000
Message-ID: <5693E3BD.6070009@citrix.com>
References: <1452520774-16794-1-git-send-email-andrew.cooper3@citrix.com>
	<5693CDE302000078000C5788@prv-mh.provo.novell.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <5693CDE302000078000C5788@prv-mh.provo.novell.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: Jan Beulich <JBeulich@suse.com>
Cc: StefanoStabellini <stefano.stabellini@citrix.com>, Ian Campbell <ian.campbell@citrix.com>, Xen-devel <xen-devel@lists.xen.org>
List-Id: xen-devel@lists.xenproject.org

On 11/01/16 14:44, Jan Beulich wrote:
>>>> On 11.01.16 at 14:59, <andrew.cooper3@citrix.com> wrote:
>> Currently, hypercalls issued from HVM userspace will unconditionally fail
>> with -EPERM.
>>
>> This is inflexible, and a guest may wish to allow userspace to make
>> hypercalls.
> I thought previous discussion had made clear that routing these
> through ioctls or alike is the right approach, and hence the patch
> isn't needed. The more that an all-or-nothing approach seems
> pretty bold.

All other issues fixed in v2, but to answer this one specifically.

In it inappropriate for Xen to presume that all guests want Linux-like
handing of situations like this.  It is simply not true.

As part of getting my test framework ready to publish, I attempted to
port my XSA-106 unit tests to PV guests.  I have shelved that work as I
don't have sufficient time to fix PV trap handing in Xen at this present
time, but do plan to fix them in due course.

The bugs I have identified so far are:
* "INT n" handling assumes the instruction was 2 bytes long
* In some circumstances, Xen crashes the domain rather than injecting
#NP[sel]
* In most circumstances, Xen delivers #GP[sel] where #NP[sel] would be
correct
* Not possible to have non-dpl3 descriptors for #BP and #OF
* Not possible to mark an existing descriptor as not-present

All of these bugs exist because Xen PV was co-developed against Linux
without considerations towards a clean API/ABI.  It also means that any
PV guest wanting to have a non-Linux setup won't function in expected ways.

So from one point of view, sufficient justification for this change is
"because the Linux way isn't the only valid way to do this".

~Andrew