From: "Jan Beulich" <JBeulich@suse.com>
To: Adrian Pop <apop@bitdefender.com>
Cc: Tamas K Lengyel <tamas@tklengyel.com>,
Wei Liu <wei.liu2@citrix.com>,
Razvan Cojocaru <rcojocaru@bitdefender.com>,
George Dunlap <george.dunlap@eu.citrix.com>,
Andrew Cooper <andrew.cooper3@citrix.com>,
Ian Jackson <ian.jackson@eu.citrix.com>,
xen-devel@lists.xenproject.org
Subject: Re: [PATCH 2/3] x86/altp2m: Add a hvmop for setting the suppress #VE bit
Date: Tue, 06 Jun 2017 07:08:43 -0600 [thread overview]
Message-ID: <5936C57B020000780015FD22@prv-mh.provo.novell.com> (raw)
In-Reply-To: <20170606130059.GA12361@hel>
>>> On 06.06.17 at 15:00, <apop@bitdefender.com> wrote:
> On Mon, May 29, 2017 at 08:38:33AM -0600, Jan Beulich wrote:
>> >>> On 18.05.17 at 17:07, <apop@bitdefender.com> wrote:
>> > +
>> > + if ( !cpu_has_vmx )
>> > + return -EOPNOTSUPP;
>>
>> Is this enough? Wouldn't it be better to signal the caller whenever
>> hardware (or even software) isn't going to honor the request?
>
> Well, the caller checks the return value. The libxc function
> xc_altp2m_set_suppress_ve for instance will return a negative in this
> case.
The question wasn't what the caller does but whether checking just
cpu_has_vmx is enough. What if you're running on a machine with
VMX but no #VE support?
>> And then there are two general questions: Without a libxc layer
>> function, how is one supposed to use this new sub-op? Is it
>> really intended to permit a guest to call this for itself?
>
> Well, the sub-op could be used from a Linux kernel module if libxc is
> not available if struct xen_hvm_altp2m_op and struct
> xen_hvm_altp2m_set_suppress_ve are defined.
>
> Our use case, though, involves either Dom0 or a "privileged" DomU
> altering the suppress #VE bit for the target guest.
This doesn't really answer the question: What are the security
implications if a guest can invoke this on itself?
(FTR I think my first question was kind of pointless, as patch 3
looks like it does introduce a libxc function; I simply didn't realize
that back then, because I'd generally have expected the
consumer of the hypercall to be introduce together with the
producer.)
Jan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel
next prev parent reply other threads:[~2017-06-06 13:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-18 15:07 [PATCH 0/3] x86: Add a hvmop for setting the #VE suppress bit Adrian Pop
2017-05-18 15:07 ` [PATCH 1/3] x86/mm: Change default value for suppress #VE in set_mem_access() Adrian Pop
2017-05-18 15:07 ` [PATCH 2/3] x86/altp2m: Add a hvmop for setting the suppress #VE bit Adrian Pop
2017-05-18 17:27 ` Tamas K Lengyel
2017-05-23 12:03 ` Adrian Pop
2017-05-29 14:38 ` Jan Beulich
2017-06-06 13:00 ` Adrian Pop
2017-06-06 13:08 ` Jan Beulich [this message]
2017-06-08 13:49 ` Adrian Pop
2017-06-08 14:08 ` Jan Beulich
2017-06-09 14:18 ` Adrian Pop
2017-05-18 15:07 ` [PATCH 3/3] libxc: Add support for the altp2m suppress #VE hvmop Adrian Pop
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5936C57B020000780015FD22@prv-mh.provo.novell.com \
--to=jbeulich@suse.com \
--cc=andrew.cooper3@citrix.com \
--cc=apop@bitdefender.com \
--cc=george.dunlap@eu.citrix.com \
--cc=ian.jackson@eu.citrix.com \
--cc=rcojocaru@bitdefender.com \
--cc=tamas@tklengyel.com \
--cc=wei.liu2@citrix.com \
--cc=xen-devel@lists.xenproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).